|
CORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 900-v House of COMMONS MINUTES OF EVIDENCE TAKEN BEFORE SCIENCE AND TECHNNOLOGY COMMITTEE
Scientific
Advice, Risk and Evidence:
Wednesday 3 May 2006 MR NICK KALISPERAS, MR JERRY FISHENDEN, MR DAVE BIRCH and PROFESSOR MARTYN THOMAS
DR TONY MANSFIELD, DR JOHN DAUGMAN, DR EDGAR WHITLEY and PROFESSOR ANGELA SASSE Evidence heard in Public Questions 470 - 574
USE OF THE TRANSCRIPT
Oral Evidence Taken before the Science and Technology Committee on Wednesday 3 May 2006 Members present Mr Phil Willis, in the Chair Adam Afriyie Mr Jim Devine Dr Brian Iddon Margaret Moran Dr Desmond Turner ________________
Examination of Witnesses Witnesses: Mr Nick Kalisperas, Director for Markets, Intellect, Mr Jerry Fishenden, National Technology Officer, Microsoft, Mr Dave Birch, Director, Consult Hyperion, and Professor Martyn Thomas, UK Computing Research Committee, gave evidence. Q470 Chairman: Good morning, everyone. Good morning in particular to our first panel of expert witnesses: Nick Kalisperas, the Director for Markets, Intellect; Jerry Fishenden, the National Technology Officer for Microsoft; David Birch, Director from Consult Hyperion; and Professor Martyn Thomas from the UK Computing Research Committee. Welcome to you all and to our visitors and members of the press this morning. This is our second session on our identity and technology case study, which is part of our broader inquiry into looking at the way in which scientific advice helps government to set policy, to deal with the issues of risk, and the whole issue of evidence-based policy which is our major inquiry going on. Our purpose this morning is mainly to look at process. We are not in a position as a committee and nor have we set up this inquiry to make judgments about specific technologies or whether in fact the ID Cards Programme is right or wrong. That is an issue rightly for Government. Our issue is to say: Where is the evidence to say you will meet your stated objectives behind that? That is the purpose of this inquiry. I wonder if I could invite you, Nick, to chair your panel. In case there is a need to chair it if things get riotous, then we will call on you to get your colleagues into order. Perhaps I could start by saying that the Identity Cards Programme team said that they have "consulted widely with experts". Do you agree? Mr Kalisperas: They have had some consultation with experts. Q471 Chairman: That is different from "widely". Mr Kalisperas: Yes, it is. Having read the submissions, there are clearly some groups which have not been consulted. I would say there is a difference between consulting widely and having regular consultation. I think, as we approach procurement, there should be more intensive consultation specifically with the industry, so that the industry has a full and clear picture from which they can decide whether to bid for this programme or not. Q472 Chairman: That is a fairly critical start, if I read between the lines there. Mr Kalisperas: We are looking at a programme which carries significant reputational risk for the IT industry. We have had an ongoing dialogue with the Home Office for at least three and a half years as the Bill was going through Parliament, particularly towards the third reading, where there were a number of votes that potentially could alter the structure of procurement, that there needed to be better interaction with the IT industry, not just potential prime contractors but also those further down the supply chain, in order for them to make clear assessment as to whether they believe this project was worth bidding for or not. Q473 Chairman: Dave, would you agree with that? What is the position on consultation? Has there been sufficient? Has it been wide enough? And what more could the Government have done? Mr Birch: I think I would raise the question of what the consultations were about. If you are consulting industry about whether the card should be red or green, that is very different from consulting industry about whether there should be a card. A lot of the consultations tend to be discussions about the structuring of procurement and how exactly the procurement would work, and not really the kind of consultation that you would expect at a more scientific level, consultation about how the scheme should work overall and what it should do. There have been some consultations. The major consultation that I attended with Intellect, frankly I thought was a little disappointing. Most of the presentations were just telling us that this is how it is going to be, followed by an injunction to get out and do something about there being too much sort of negative publicity - and I cannot remember the exact phrasing. I do not think it was really consultation in the sense that you are thinking consultation constitutes. Q474 Chairman: This is a pretty big project. Mr Birch: Yes, of course. Q475 Chairman: Martyn? Professor Thomas: From the point of view of the technology, I do not think there has really been any consultation with the academic community. The academic community is independent and therefore can bring something to a consultative process that industry really cannot because we can stand back as independent academics and look at the viability of something and look at best practice without having a vested interest of any sort. We are not trying to sell anything, other than to try to get people to use the best possible science. From my perspective, any involvement, any consultation started in the wrong place. It is still, as far as I can see, unclear what the objectives of the overall programme are and how it is envisaged it will deliver the supposed benefits. The benefits are not quantified. They are drawn extraordinarily widely and yet are put in terms of help towards this and benefit for that. In most cases, it seems to me, there is no basis for arguing that the sort of programme that seems to be emerging will deliver those benefits, either in a significant way or that it will necessarily be the best way of delivering those benefits if you started with a completely blank sheet of paper. I feel that the consultation did not start at the right level, with stating what the really desired outcomes were at a system level, at an overall societal system level, and then trying to work through to what the right solution would be. It came in with a solution, and then started to pull in lots of benefits, it seems, almost to try to justify the solution that had been partly adopted. Q476 Chairman: Jerry, do you feel the industry has been completely open with the Home Office regarding any possible problems with the scheme? Mr Fishenden: We have certainly endeavoured to be, both at the Intellect meetings and through direct contacts with the Home Office. I would reinforce the point that the consultation became unduly focused, in my view, on procurement issues. I think the industry was looking for the opportunity to understand the types of scenario technology needs to support, and to debate fairly openly and with each other how the technology might actually deliver against those scenarios. Every time we came close to wanting to talk about the architecture, we were told that was not really up for discussion. That because there was an internal reference model that the Home Office team had developed themselves, that they did not feel they wanted to discuss their views of the architecture. I think the phrase they used was that they did not want to "stifle innovation" at the time they got to bid phase. Q477 Adam Afriyie: To be absolutely clear, you are saying that they refused to show you their architectural framework document for delivering this project. Mr Fishenden: In terms of technical architecture, yes. There were some requests from the industry to have sight of the reference model, because it is sort of implicit in a lot of what they have been talking about. Q478 Chairman: Was industry involved with developing that reference model? Mr Fishenden: As far as I know, not - because it was not discussed at any of the industry consultation groups that I went to. Q479 Chairman: Where do you think the Government got its advice from? Mr Fishenden: I presume from its own internal and external consultants that it recruited to the programme. Q480 Chairman: I thought you were consultants. Mr Birch: No. Mr Fishenden: No, we are not consultants. Q481 Chairman: Are you not able to give them that consultancy advice on the basis of industry or academia? Mr Birch: We are ready and willing to do so. Q482 Chairman: You are capable of doing it but you were not asked. Mr Birch: Yes. Q483 Chairman: One of the criticisms that could be levelled - and I am doing this innocently, as you realise - is that industry has such a vested interest in what is going to be one of the most significant commercial projects, that it does not criticise strongly enough. Mr Fishenden: There is the reputational point to which Nick alluded earlier. I do not think anyone in industry would like to be here in 2, 3, or 5 years time, whatever the time scale might be, explaining why yet another major public sector IT project has gone off the rails if that were to happen. I do think there has been a consistent willingness on the part of industry to engage in open dialogue with the Home Office. But as we have been saying, I think the focus seems to be very much on the consultations around procurement related processes and structures and not to do with a wide, industry consultation on the technology and the type of scenarios that the technology will need to support. Q484 Adam Afriyie: Are you aware of ways in which your advice or industry advice has been incorporated into the project? Mr Kalisperas: Not at the moment. Not until we see the OJE notice and statement of the requirements will we have an accurate position of how our advice has been incorporated into the procurement. Q485 Adam Afriyie: Does anybody else have any observations? So there is no visibility yet as to whether any advice has been taken or input received. Martyn Thomas, the UKCRC have said in written evidence that "Government has made no real attempt to base computing policy on scientific evidence" and you have echoed that again this morning. What led you to that conclusion? Professor Thomas: The way in which government procurement is carried out - indeed, the way in which most IT procurement is carried out - is essentially based on technology that is 30 years old, which in an industry that is only 60 years old is pretty shocking. The extent to which requirements are drawn out and written down in a way that you can reason about, analyse for real weaknesses, and the extent to which really sound computer science is brought into the technology, so that, for example, you are not building computing systems using technology that has known security vulnerabilities which are completely avoidable but which are just commonplace and regularly incorporated in new systems, all these things are indications of a woeful lack of proper scientific foundation for the procurement and indeed implementation of IT at the moment. Adam Afriyie: Do the rest of you agree with that? Q486 Chairman: That is a fairly damning comment. Mr Birch: I think it is fair to say that for large projects like this it does sometimes look as if the fundamentals of it are a little backward looking. The imagination comes from a rather 1960s world of just the giant mainframes and terminals connected to them and so on. I think that is valid. I think the origin of it is a little harder to pin down. You are taking this evidence and it must be transparently obvious to you that there is a systemic issue on large procurements like this, whereby - and I am not picking on anybody - if you are a large supplier and you make widgets and the Home Office say, "We are thinking about implementing a gigantic system of widgets" then of course you say it is a great idea, and then the discussions very quickly move into the intricacies of the procurement: "How exactly are you going to procure the widgets? What is the time scale" and so on. And the kind of scientific evidence about whether you need widgets in the first place is complicated. It is necessarily quite difficult. You have people who are, frankly, scientists giving evidence to people who are, frankly, not, and so if you have a discussion about - I do not know - what the lifetime of the next 509 certificate should be, it is just gibberish to most of the people in the room. There is a systemic problem that needs to be addressed there which is not just about the ID cards programme, although obviously that does highlight a lot of the issues. Q487 Dr Turner: What you are saying rather chimes with what this Committee has raised at other inquiries with other government departments, the concern being that the department concerned does not have sufficient scientific expertise located within the department to act as an intelligent client to procure highly complex systems or new science or technology. It rather sounds from the tenor of your evidence that this is a criticism which may currently be valid for the Home Office. Do you have a view on that, Professor? Professor Thomas: I believe that is generally true and specifically true for this programme. It is quite difficult for a major department to have the right level of skills for all the procurements. One of the ways that has been suggested to break through this problem, recommended by the Royal Academy of Engineering, is the introduction of what they call "system architects"; the idea being that, in the same way as an architect sits between the client who wants a new major building and the builders, the construction people, the engineers who will develop that building, and works out with the client what the requirements will be, how the business will be affected by the new system that is being procured, in exactly the same way, you could have a system architect come in for major IT systems, to work in a very technical way with the potential suppliers but in a very business-oriented way with the client and do the translation, so that the architect would capture the business requirements and turn them into a very rigorous specification before they would be put out for competitive procurement. The benefit of that would be doubled, because, firstly, you would take quite a lot of risk out of the procurement process, and also you would be able to introduce smaller companies into these major procurements. The system architects would typically come from the innovative smaller companies that are using the more advanced technology for doing things like requirements' analysis. At the moment, the major procurement structure stifles innovation because it is very hard for the innovative, new, smaller companies to get into the market. As the public sector is more than half the market for IT services in the country, that is a major impact on the structure of the industry. Q488 Adam Afriyie: I have a slightly acerbic question. To what extent do the complaints from the industry, from Intellect and others, including yourself, stem from the fact that you have been ignored during this particular ID card project? Mr Kalisperas: Personally, I do not think that is the case. Our responsibility is that we are not-for-profit and we are a technology-neutral trade association, so the only thing we are interested in is getting procurements right and learning lessons. If we did not think a procurement was being undertaken in the right manner, I feel, having spoken to our members, that it would be a dereliction of our duty, our responsibility then, given that we are also safeguarding their reputations as well, if we did not speak out. Professor Thomas: UKCRC is increasingly frustrated by the fact that major IT procurements go wrong for entirely avoidable reasons. The UK is world class in computing science. We could be in the forefront of the world in developing, building, procuring new systems, if only we were prepared to base those activities on our world class position in computing science. For a variety of reasons, nobody seems to want even to engage in conversation with the academic community about a programme of work that could bring about that transformation. We are not selling silver bullets; we are suggesting that the systemic problem to which Dave Birch referred could be cured over a period of years, and the result would be that it would save the public sector billions of pounds a year. For some reason, nobody wants to engage with that agenda. Mr Birch: Could I answer Adam's question, because I think it is an incitable question, because it is a genuine human emotion to think that you have a better idea for how to build the system - which actually I do, but that is not the point! Martyn's point about the architect, I would prefer to be seen as defending the industry. We get a lot of criticism about all of these projects continuously going wrong: nothing ever works properly; it is all a total waste of money - whether it is child benefit or things for farmers or whatever. I just want to make the point that it is not our fault, because when the government procures buildings with architects - the Scottish Parliament, for example - they are late and cost too much. It is not just because we are IT people; it is because of the way these things are approached. It is a more genuine systemic problem. Q489 Margaret Moran: You have talked about a lack of consultation around specifying the technologies, when we have heard evidence from the Home Office that they do not want to curtail industry, they do not want to define the technology itself. Is it not contradictory that you are complaining that the Home Office are not sufficiently specifying the technology, when they are leaving that to you? Should it be business that specifies the technology? Mr Kalisperas: I think there is a balance that needs to be struck between leaving a certain amount of innovation open to the market but being able to provide the very basis of a framework through which industry can work. We have seen from recent government procurements that have been cancelled at very short notice, having taken 15 to 18 months, that a procurement process can cost a company upwards of one million pounds in just procurement costs. Those are costs that are not going to be recovered. The one thing that we want to make sure of is that there is sufficient framework there for companies such as Jerry's or Dave's to make accurate decisions on how they want to respond to a particular procurement, what sort of technologies they want to put forward. If you just say, "We are going to leave it to the market" that is just too broad. There has to be the outlines of a specification there. Mr Birch: Could I argue with you about the question? It is not being left up to the market; it is in fact very prescriptive. It is already decided that there will be a smart card. It is already decided that there will be a register that is going to store your address and all sorts of other things. All this stuff has already been decided. Just to picture it at a slightly higher level, if you said, "We, as the Home Office, feel that some form of national identity management system would be appropriate in a modern economy" - which I have to agree with - "Let's have a consultation about what it should do and so on" that is not the same as saying, "We are going to have a gigantic registry somewhere and we are going to have all these smart cards. Can you consult with us about what colour they should be" or something. It is a mismatch of levels there. Mr Fishenden: I would like to add that there is something contradictory happening here. I take Nick's point that the proof will be when the procurement documents come out and we can see how outcome-based it is and how prescriptive or not the actual procurement intends to be. But I think an opportunity has been missed to evaluate alternative options for delivering those outcomes. Although I noticed that when you took evidence a few weeks ago from Katherine Courtney and her team they said it will be outcome based, in a lot of their other answers they were saying, "This is the way the card will work ... It will have this on it, it will have that on it. It will work this way, it will not store this," and you think: "Is it prescriptive or not?" I have to say that the jury is probably out until we see the formal procurement documents as to whether it is entirely outcome or scenario based around the types of behaviour, if you like, that you want to see from an ID card system. I was looking yesterday on the website. The few scenarios they do have mapped out at the moment I think still exhibit an interesting level of understanding. There is one talking about somebody who is 18 going into an off-licence and being able to assert proof of their age, and a 70 year-old looking for a 65 year-old discount. It then goes on to describe how the ID card will be used to reveal their date of birth in order to prove their age. To me that just highlights the type of issue we have been trying to flag up for the Home Office: Why would you want to reveal somebody's date of birth in that scenario? You would want to reveal their age; their entitlement that is, that they are over 65. You do not even have to reveal their age, but that they are over 65. If you start revealing things like their date of birth, then I think the banks and everyone else are going to have a huge headache. Because, what do they ask you when you phone up to access your online account? It is personal information like date of birth, but that scenario has just said that you are going to start handing that type of information out every time you use the ID card. It is that type of debate which I think concerns the industry, that after all these consultations we still do not seem to have had an impact on the level of understanding about what makes for good identity systems to practise. Professor Thomas: There is a distinction that ought to be kept quite clear between identity (in other words: Who are you?) and authentication (What are you entitled to do?). When what you are asking for is authentication (Are you allowed into the country? Are you entitled to benefits? Are you of an age to buy alcohol?) you do not need to know who the person is. If you go that extra step to ask for identity information when what you actually want is authentication of a right to do something, then, firstly, you are violating privacy issues, but also you are revealing information which makes things like identity fraud much more likely to occur. If you start then tying authentication into biometrics which cannot be changed if they are compromised, then if you start getting those stolen electronically and using them for remote authentication, customer-not-present type authentication, you will create a security nightmare where somebody's biometrics are no longer available to them to authenticate themselves for the rest of their lives. Q490 Margaret Moran: In summary, you are saying that lack of consultation could open up the system to greater vulnerability. Professor Thomas: Exactly so. Mr Birch: To reinforce Martyn's point about the distinction between scientific evidence and what the general public thinks about it, if you see what I mean, that is a very good example, the ability to reveal credentials of an individual while simultaneously hiding their identity. To understand how that works, you have to understand a certain amount about cryptography and digital signatures and blinding and so on and so forth, so there is a distinction between what the scientific evidence will be saying in that case and what in general opinion - which in some cases can be very paradoxical - can be achieved with the technology now. One of the reasons why I am rather in favour of an ID card is because it is a way of creating privacy where none existed before, but, in order to understand how that all comes together, Martyn is right, you have to layer these things. A consultation which says, just to take a simple example: Should your name be on your ID card or not? - a very simple and very fundamental question - what consultations have there been about that? Personally, I would say none, but I stand to be corrected. Basic fundamental things like that are what should be part of that consultation process. There is scientific evidence, I am sure, from other countries to say why it might or might not be a good idea to have the name on the card, but that is not the kind of consultation that has been going on. The consultation that has been going on is: We are going to have a card, we are going to have a name on the front, what is the best way to procure it? Q491 Margaret Moran: You are illustrating the point you made before about your concern about lack of Home Office expertise, but, given that we have been told by the Home Office that the decision around technology innovation will be industry, do you think the Home Office has sufficient expertise to be able to evaluate what comes back from that process? Professor Thomas: It seems unlikely. Q492 Margaret Moran: Shall we take that as a general no. That seems blunt and to the point. Shall we go back to the technological architecture? We have been told in our evidence that is interdependent with the business case. Do you think that is the case? Do you all agree that there is clarity about the aims and uses of the project that we are talking about? Professor Thomas: It is clear that the technology is interdependent with the business case because the business case is founded on the requirements and the technology should be there to support the requirements. The requirements are woefully unclear, in my opinion. Everything that I have managed to find on the web or in other documents that I have seen about the programme, lays down a set of aspirations for the ways in which the identity scheme might contribute to reducing fraud under some circumstances, but there is no quantification, there is no analysis of how the proposed scheme is going to make that kind of contribution, and you would need to get into some detail, about how it would be envisaged that the system would be used, before you could do any real analysis of whether that is the right solution to solving the problem that has been laid out. Q493 Chairman: Jerry, do you agree? Mr Fishenden: I think there were only three scenarios on the website yesterday as to how this card might be used. I have mentioned one of them already. I am concerned about aspects of even that scenario and the fact that it could lead to greater ID fraud risk. I would have expected at this stage to see a fairly rich set of very precise scenarios about exactly where and how the ID card would be used and to address many of the issues we are talking about here as to what gets released in those types of scenario. That is still not prescriptive on the industry in terms of specifying the particular technology or how we do it but it does set some policy requirements about making it desirable not to unnecessarily reveal identity information when that is not necessary for that particular scenario. Q494 Dr Turner: Can you gentlemen, with your breadth of experience of large scale ICT projects, remember any other comparable case where a project has been discussed at public and political level for so long and in such detail in Parliament, yet is surrounded by such lack of decision as you have pointed out, Jerry, in the kind of scenarios that will be associated with its use, least of all any ideas of technical specification? I cannot remember anything comparable. Can you? If so, can you draw any conclusions? Mr Kalisperas: This goes to the heart of government procuring and how government behaves as a customer. Dave has talked about a national identity management scheme. This is not it, for the simple reason that what we have here is a reflection of the silo mentality that exists with the public sector. What we have here is the Home Office procuring a national identity card scheme but only within the boundaries that the Home Office can do. When we first engaged with the Home Office three and a half years ago, it was called an entitlement card, and we wrote a paper which currently exists on our website which said that we saw an entitlement card as the natural evolution in the modernising government agenda but that for that to happen it required joined-up government, it required departmental cooperation, and it required a central owner to drive it forward. We do not have that now. We have a card that is very much reflective of the Home Office's own objectives and aims. What concerns us is not the fact that there is a lack of clarity but what is the future planning for this card. Once it is rolled out, whenever it is, 2009-2010, how else will the card be used and what level of interoperability will be built into that card? What are the specifications in terms of standards? How else does the Home Office see this card evolving? Hopefully, by then, there should be a level of departmental cooperation which should - touch wood - mean that the card would be used for more than just identity but would also enable people to access public services. That is not here. We regard that as a missed opportunity. We said it three and a half years ago and we are saying it now. Q495 Dr Turner: You are saying that, if the Home Office were to be acting as, shall we say, the lead department for a group of departments procuring this for the wider application of the group, we might be looking at something different. Mr Kalisperas: I think we would be. Also, I think in that regard, in terms of building public trust and confidence in the scheme itself, you would probably get a slightly more favourable response. At its basis, I think we have a lot to learn in this regard from the financial services community about how they moved from signature on credit cards to chip and pin. Q496 Dr Turner: Can you give us some of your views about the best way to organise the database. What is the best option for the database? Is it one big, massive mainframe somewhere in Birmingham or should it be a network of loci? Has the Home Office consulted you on the architecture of the database? Mr Birch: No, to answer the second question first. We are going to start sounding like broken records here, but you cannot answer the question about how should we organise it until you know what the requirements are. To reinforce Martyn's point, there is a scientific distinction between the kind of stuff that you have written down here and a requirement. If you say that the database should be secure, for example, that is not a requirement, that is a goal. It is aspirational. If you say the database must weight five kilograms, that is a requirement. Something that can be tested and measured and assessed, that is a requirement. We do not really have any requirements, we have goals. I agree that some of them are quite aspirational. "Let's just take that as read" is the introductory answer to every question. Until you know the requirements, it is very hard to say. I would say that if you want to minimise risk around the database - which I think is what is behind the question, if I have understood the briefings properly - I cannot see how that can be done inside the current structure, because there are no obvious reasons why you want to store any of that data at all, frankly, as far as I can see. The purpose of the register is to ensure the uniqueness of the identities. That is its logical purpose, which is really to do with storing biometrics. I can understand the reason why you want a database that stores the fingerprint and irises, because you need to ensure the uniqueness of the entries. I do not really understand why you would want to store names and addresses or previous occupation. I do not get it. That was just made up in the Bill - if you know what I mean. That was just said in the original Bill, that it has to store your inside leg measurement or whatever. That is not the outcome of scientific process. Q497 Dr Turner: Does that aspect increase the risk of skilful abusers of the database? Mr Birch: I think the risk was already 100 per cent, so, when you say "increase the risk" I am not sure it makes any difference. The risk to those kind of databases, which is transparently obvious in the case of things like the DVLA and the Criminal Records Agency, is not that some Russian Mafia mathematical genius is going to find some new prime number and ----- Q498 Chairman: We are coming back to the issue of risk. Mr Birch: The risk rests with the fact that it will be your own staff. Q499 Margaret Moran: I am assuming that we are all agreeing that we are in the pre-procurement stage. What opportunities are there for the issues that you are raising now to be factored into the discussions? Is it all too late to have the kind of scientific advice to which you are referring introduced into the process? Professor Thomas: It will be necessary to have a detailed specification and to have it reviewed if this is going to be a successful project. It is never too late to do that. If we carry on down the path that we seem to be going down, it may be that this system will fail completely and it will have to be re-introduced in ten years time and then that process will be gone through. But until it has been gone through the programme will not succeed. Q500 Margaret Moran: Is that the consensus? Mr Birch: Because none of us has seen a requirement specification, it is kind of hard to answer that question. My suspicion is that, as currently constructed, it probably is a little late. But, then again, you MPs might all vote not to have one tomorrow and then we can start again and have a better crack at it. Mr Kalisperas: I think I would agree with Martyn that there is enough time, but you would have to take the politics out of it, the sort of politically driven deadlines that say a card needs to be introduced by 2009, that procurement needs to be done by then. I think you have to take that out. Civil servants and the industry need to be listened to, if, in the views of those individuals, it is not feasible in that time to allow enough time for consideration of the specifications and also enough time for testing, analysis and whatever. All of that needs to take place and if 2009 is not achievable then ministers need to listen to that and need to cast aside their own reputation in the short-term and look at the longer term benefits for the project. Q501 Dr Iddon: The Home Office seem convinced that this is the right time to introduce identity cards because, in their opinion, the advances in technology have been significant in the past few years. Assuming that you are presented with a proper business plan (that is, you know the Home Office's requirements) do you think that belief in the technology is correct? Mr Birch: Setting aside my deep-seated objection to the use of the word "business plan" in this context, because the Home Office is not a business - I am sorry, that is just a hobbyhorse of mine - I think the answer is yes. In other words, if Parliament were to articulate a particular set of requirements of what they wanted from a national identity management scheme, from the technical side I would say that actually I do not have any fundamental concerns about the ability of the technology to implement the solution. I am perfectly confident about it, in fact. Q502 Dr Iddon: Does anybody dissent from that view? Mr Fishenden: I think it goes back to the question of what the intended outcomes are. I would certainly make the key point that technology is there to assist. I would not see the use of biometrics, for example, as meaning that you could take away a lot of the human element, the face-to-face, which the technology should be supporting rather than being seen as a replacement. But if you go back to some of the stated purposes of the card as they exist at the moment, which are to tackle ID fraud and the like, the biggest growth is around online and digital identity fraud and phishing attacks and the like, and yet I have heard nothing in any of the consultation about how this card would operate in an online context. I know Ian Watmore and others have said that potentially it could be used for online public services, through things like the Government Gateway, so that you could get to local council and central government services, but there has been no discussion about what that actually means for the user with an ID card. If we go back to how is it going to tackle the largest growth area of identity fraud, which is online, I am not clear how in the domestic environment, for example, biometrics are going to be used. Are we back just to chip-and-pin type technology? In which case, if that is the main use of it, it is without biometrics, so is the debate about biometrics a bit of a side issue in that context for most of the typical daily scenarios in which people could actually be using the card? Mr Birch: I am sure it is only a matter of time before you get an email in your inbox saying: "Hello. This is the Government. We are just testing our new identity system." Mr Fishenden: Click here to get your ID card. Mr Birch: "Please type in your date of birth ..." Q503 Chairman: That is very cynical. Mr Birch: With customers of the banks, it happens all the time. Professor Thomas: There is a really key point here because the e-government agenda is trying to move to online remote access and yet it is not clear that the national identity register helps you to identify people when you are interacting with them online. If you are simply relying on chip and pin technology and not on the biometrics, then the card can be stolen and the pin can be stolen or the card can be broken and forged - and it will be a lucrative target, so there will be plenty of resources going into doing that. If the biometrics are being checked remotely, then the remote biometrics, as a digital stream, can be captured and compromised. You can envisage man-in-the-middle attacks and various other classic security attacks which would mean that somebody's biometrics could be presented as if they had been read at that moment remotely, when in fact they had been captured some time previously and stored. That raises, as I said earlier, the horrifying prospect that individuals will simply be barred for life from accessing certain services because their biometrics have been compromised, they have been stolen, and there is no way of changing them. It is a serious error of system design to use something that cannot be changed as an authentication mechanism, under circumstances where that something, that cannot be changed, could be compromised. Q504 Dr Iddon: Professor Thomas, is the technology available to get around all the problems that you are presenting to us this morning? Professor Thomas: Some of them are inherent in the structure of the requirements. Technology is not magic. It may look like it sometimes, but when you have requirements that genuinely conflict then there is genuinely no solution to them other than to modify the requirements to a set that do not conflict. That is why it is so important to really look at the requirements and analyse them for potential conflicts. Q505 Dr Iddon: Let me move to another subject. This is such a massive scheme, complex as we are hearing this morning, is it possible to trial the scheme and roll it out gradually across the country or does it have to be all or nothing? Mr Kalisperas: It needs to be the former. It needs to be piloted and then rolled out gradually. If there is one lesson that has already been learned by the Government on IT projects, it is that "Big bang" does not work. Q506 Dr Iddon: Would that be the agreement of all the panel, that we should trial it, pilot it, whatever the word is, before rolling it out across the country? Professor Thomas: Yes. But I would add that the purpose of that would be to discover the weaknesses, the things that had gone wrong, and therefore you would need to allow plenty of time and plenty of budget for backtracking, for making modifications, perhaps for radical revisions of the scheme. Mr Birch: I would trial it. Obviously you need to do these things in a phased way. Personally, I would do that slightly differently, because it is what you are piloting, so you would not issue ID cards to everybody in Manchester and see how it goes. It does not make any sense to do it like that. Most of the benefits that have been put forward as part of the consultation process are benefits of people simply having an identity number. My suggestion would be that, in the first instance, you simply pilot giving everybody an identity number; in the second phase, you pilot linking those identity numbers to them through some form of biometric register; and, in the third phase, you pilot the use of the card to delivery government services using that number. What needs piloting is giving everybody an ID number, not building a gigantic database and populating it. Q507 Dr Iddon: We have already broached the topic of risk Mr Birch: Yes, there is a risk of me repeating myself! Q508 Dr Iddon: And various of you have already outlined some of the risks you see associated with this project. Do you wish to expand on that? Do you want to give us a definitive list of risks we need to look out for? Mr Birch: First, as the backstop, the risk of not having some form of national identity management system is quite large, because it holds us back in all sorts of other areas, not just economics. If you want to have proper online voting, more online services, e-Bay, and you do not want to be pestered to death by the bank ringing you up every five minutes: "Did you buy this telly," we need something. There is a risk to not doing anything, which is that the development of our society and economy is held back. I would just say that is my kind of bent, so the question is what additional risks are we introducing above that? I will reiterate the point that I made at the beginning - which I suppose I was slightly arguing with Martyn about - which is that, generally speaking, in technical terms, once you understand what you are trying to do, the risks are tolerable. There are gazillions of smart cards in use all around the world - you know: when I get off the plane in Brazil, my phone seems to work properly. It is obviously possible to build these things and link them all up together. The risks I do not think are really there. The risks are more the risks that we already understand from things like DVLA and so on, so the risk is that you wake up in the morning and open the paper and some clerk at the DSS has got David Beckham's record out of the register and flogged them to The Sun or something. That is the risk, not that some genius is going to find some way of factoring prime numbers and forging digital signatures. I am sorry to be prosaic. Q509 Chairman: What are the risks for you? Mr Fishenden: Going back to the earlier point, where we were talking about architecture and the Home Office aspiration not to be prescriptive, I think it would have been useful over the consultation period - which, as Nick mentioned, goes back about three and a half years - if there had been some independent analysis of the risk associated with centralised models as opposed to distributed models of tackling national identity systems, so that actually when the bids finally go in - and, presumably, if it is a non-prescriptive procurement there will be a whole variety of architectures being proposed - the Home Office would be in a well-informed position to take an informed assessment of which of those proposed models offers the best management of the associated risks. I am not aware of any work having been done over the last few years. There is certainly no openly published work from the UK Government into the risks associated with different types of technical models for national ID cards. Q510 Adam Afriyie: To what extent has the Home Office taken advantage of learning from schemes abroad? In view of the unique nature of the Home Office scheme, what lessons could be learned or have been learned from abroad, in your view? Mr Kalisperas: I think, in terms of who they have asked, you would probably have to ask the Home Office. I know they have had some interaction with some foreign schemes; they have looked at some foreign schemes. In terms of lessons, I think you would probably have to ask them. Mr Birch: I am not sure all views are equivalent in this respect. Just going on some of the schemes that we have been involved in - and I think they have visited Hong Kong, for example, and that is one of the schemes that we have been involved in - how much you can learn from those I am not sure. The UK is in a very different situation. Most of the countries that are rolling out what you would call smart identity cards - modern identity cards, not just glorified buts of cardboard - are countries which already have the equivalent of the identity register. They already have some form of ID card they are upgrading, so it is not transparently obvious that the lessons you would pick up could automatically be applied in the UK. The UK, the US, Australia are examples of countries that are in a very different place with respect to identity from other countries. Professor Thomas: I would have expected to see an analysis of the benefits that looked at countries that had identity schemes in place and did a per capita fraud comparison, that kind of thing, in order to demonstrate that there was some level of correlation between having an ID card in place and the level of serious crime, the level of terrorism, the level of money laundering and so on. I have not seen anything like that - simply assertions that the ID card scheme as proposed will provide benefits in those areas - and yet it seems to me that there are enough identity schemes around the world that it ought to be possible to do a scientific analysis of them. Mr Birch: The requirement is not to have an ID card and whatever. The requirement is for some better form of national identity management. Looking at other cards is really only a little bit of the story, because we should be looking at other examples where modern notions of identity management appear to be helping to transform organisations and make them more efficient and responsible and so on. It is not just a question of looking at other people's cards and seeing if we want to copy the design. Q511 Chairman: Are we being too ambitious? Mr Birch: Personally, I think we are not being ambitious enough. I think we should be looking to a fundamentally modern, 21st century, forward-looking vision. Q512 Chairman: Surely that is what the Government, to be fair, are saying. They are saying, "We are not going to define what is going to happen." Professor Thomas: They have defined it, though. Q513 Chairman: "We are going to leave it to you guys to design a system around our specification." I think you are being very harsh on the Government. Professor Thomas: I think that is a misperception. Q514 Chairman: I am smiling when I am saying this. Professor Thomas: Looking at what has been done, rather than what has been said, would lead the man from Mars to assume that the real objective was to create a database of the nation's biometrics, and that everything else was just window dressing. Because that is where all the effort has gone: into defining a biometrics database. If that is really the requirement, that is fine, the Government is entitled to have that as a requirement, but then that ought to be specified and people can focus on that. If, on the other hand, the real requirement is for a modern, societal, identity management scheme, then we ought to debate what that would look like, not how it would be implemented, and biometrics might have no part to play in that. Mr Kalisperas: But if you seek that then you have to look beyond just the Home Office. Mr Birch: Yes. Professor Thomas: Absolutely. Chairman: You have made that point. Q515 Mr Devine: I think I know the answer to the next question, but do you think there has been a lack of open and informed debate regarding this scheme? Professor Thomas: Yes. Mr Kalisperas: I think there has been a fairly open debate in Parliament but I think it probably has not been the sort of debate we would like to have with the industry. It goes back to the point about a statement of the requirements and having much clearer discussion about that in particular. We have consistently said we do not think the technology is going to be the problem on this. If there is clarity in terms of the objectives, if there is clarity in terms of the business case, if there is enough time to make sure that the system is tested but there is enough time to make corrections, then I think the system will be delivered, but you need a strong customer and you need a customer who is prepared to work in partnership with the industry and to listen to what industry has to say on this. Because there is no shortage of advice and there is no shortage of willingness - and that does not come from the fact that the industry thinks it is going to make loads of money out of this, because when it comes to public sector IT projects, the industry does not make a lot of money, it gets a lot of flak - and our overriding objective for this procurement, as with all others, is to make sure that it is implemented correctly. There is enough best practice out there for government to listen and to take heed. Mr Birch: There has been lots of debate but it has not always been terribly helpful, because ID cards carry such an emotive core to any discussion. From my perspective, as someone who is very interested in the whole area, the debate fragmented very early on. Either you were in favour of everything the Home Office wanted, in which case you were a fascist lackey of an oppressive state, or you were against it, in which case you were an anarchist: "No to ID". There was no middle ground. It just immediately went into these polarised positions. Most people, I would think, actually belong somewhere in the middle, which is: "We ought to do something about identity. We ought to improve the identity situation, but possibly what the Home Office first put forward is not quite right and deserves some reflection." I think most people are in that middle but the whole debate has been characterised by you are either for it or you are against it; you are either an anarchist or a fascist. Q516 Mr Devine: To what extent has the Home Office communicated successfully the benefits and the risks of the technology to the public? You have made wry comments on the problems, and Jerry you made reference to the fact - as I phoned my bank yesterday and they asked me for my date of birth - that this could be on this card. Mr Fishenden: Personally, I do not think it has been terribly well communicated, and it goes back to those scenarios. People need to understand what the impact is going to be on their daily lives. Potentially there were some quite interesting examples like proving you are over 18 to buy alcohol or to get a bus pass or whatever, but I do not think there have been enough of those in the public domain and unfortunately the few there are seem to have some inherent flaws in the way they are proposing for them to work. So communication, such as it is, is both insufficient in quantity, if you like, and the quality of it at the moment is not of the calibre I would expect. Mr Kalisperas: Again, I think there are lessons to be learned. Citizens tend to react well to systems which have a benefit to them. So, for example, direct payment seems to have gone down relatively well because it means that the citizens are receiving their payments automatically rather than having to go to the Post Office. Again, with chip and pin, that seems to have gone down relatively well save for a couple of instances. I think the issue has been, as was said previously, mention the word identity cards and the whole debate becomes polarised, and if there was more of a link towards access to public services, entitlement, et cetera, you would get a different public response. Q517 Adam Afriyie: I have a relatively straightforward question on costings. The Home Office has released a very precise figure, £584 million or something, for delivering the ID card scheme per year. Is that figure legitimate or lunatic? Mr Birch: Until I see the requirements I could not comment. Mr Kalisperas: Agreed. Q518 Adam Afriyie: So the requirements are required? Mr Kalisperas: Yes. Chairman: I am sorry that has been a helter skelter through. We could have spent a lot more time on your Panel, but thank you very much indeed. Examination of Witnesses Witnesses: Dr Tony Mansfield, National Physical Laboratory; Dr John Daugman, University of Cambridge; Dr Edgar Whitley, London School of Economics and Political Science; and Professor Angela Sasse, University College London, gave evidence. Q519 Chairman: Could I welcome our second panel to the inquiry today? I will not repeat what I said earlier but this is a key inquiry looking at the issue of the way in which Government assesses risk in terms of its policy-making, the way in which it uses scientific advice behind its policy-making, and we are very anxious to look at the process rather than, in fact, to make judgments about whether we should have ID cards or not. That is an issue for public policy. We have in front of us Dr Tony Mansfield from the National Physical Laboratory; Dr John Daugman from the University of Cambridge; Dr Edgar Whitley from the LSE, and Professor Angela Sasse from UCL. Now, before I start my line of questioning could I ask each of you, do you have any commercial interest in any of the technologies which are being proposed either by yourselves or by the Government? Dr Mansfield: Speaking for myself I have no attachment to one technology or the other, but the area in which I work is in evaluation of biometrics, so obviously I have some interest in technology. Dr Daugman: I do not, and I would like to correct something that was said in the previous hearing of this Committee which was I have the worldwide rights to iris scanning --- Q520 Chairman: I said that. Dr Daugman: In fact, there are no worldwide rights to iris scanning. Anybody who could come up with an algorithm is free to deploy it. I am the inventor of the technology and the author of the algorithms that are currently used in all public deployments and I have acquired a number of patents in that, but in the year 2004 I irrevocably assigned all of my interests in those patents to a charitable trust, so I currently have no commercial, financial interest in either iris recognition or any biometric company. Q521 Chairman: Thank you very much. Thank you for putting that on the record, and if I misquoted you I apologise. Professor Sasse: I am in the same position as Dr Mansfield. I have no attachment to any particular technology but I work on evaluation of the technology so I work as a consultant. Dr Whitley: No connections whatsoever. Q522 Chairman: Thank you. It was important for me to put that on the record so that the Committee is seen to be fair in this issue. The ID cards programme team said they consulted quite widely. Do you agree, and what more could they have done? Dr Mansfield: Well, there seems to have been a process of continual consultation and I think they have been listening since 2002, when the consultation exercise on entitlement cards was conducted. There may be one or two things that could have been done additionally. When you asked the previous panel the question one of the things which I think could have happened is better engagement between the original consultation and procurement, and there were perhaps a few opportunities that were missed for engagement with industry and academia to investigate certain solutions or certain problems prior to the procurement starting. Q523 Chairman: But generally you are happy with the consultation. John? Dr Daugman: Behind the scenes there has been a fair amount of scientific consultation, at least in my experience, from Home Office scientists. People have asked me specific technical questions based on the scientific literature, for example, could I point them to references. I would make a distinction between that and the public debate about ID cards which has been woefully lacking in scientific understanding. The press have picked up on all kinds of false assertions which then go on to be repeated, for example in the LSE report as fact so, as you have seen, the thrust of my written evidence to this Committee concerns the very poor quality of the public discussion of scientific issues around ID cards, but the quality of Home Office consultation in my experience has been rather high. Q524 Chairman: We will return to some of those issues later. Professor Sasse, the general consultation? Professor Sasse: I would agree there is a lot of consultation that has taken place and certainly I have been particularly involved in the process since 2004 when the Home Affairs Select Committee looked into the proposed legislation, and it is quite visible that they have taken on board some advice and outcomes of those consultations in the way that the proposals have been developed. However, I think it is also fair to say that possibly one of the reasons that the process went in the way that Dr Daugman just described is because right at the beginning the Home Office sought to influence the public debate in a way which has turned out not to be very helpful by basically putting out a no-holds barred, positive assertion of a whole range of benefits that could be derived from the programme, without having made a --- Q525 Chairman: A proper assessment? Professor Sasse: Yes. Q526 Chairman: Do you basically agree with that? Dr Whitley: Yes. On Dr Daugman's point I know the Committee does not want to go into detail on this but we have responded to the specific allegations we have made --- Q527 Chairman: You can fight outside! Dr Whitley: I understand, but just to say we have responded in detail to his allegations.[1] Q528 Chairman: Tony, how reliant do you think is the Home Office upon your advice on biometrics, and what is your role in the Biometrics Expert Group? Do you have too much influence in that area? Dr Mansfield: The Home Office draws on expertise from more than just myself. Originally there was a feasibility study for Passport Service and DVLA and Home Office about using biometrics to strengthen identity documents such as entitlement cards. The study was quite narrowly focused, and focused entirely on the biometrics component. Of course that study is four years old; the work was conducted in 2002; things have moved on since then. To my mind the Home Office has not been over-reliant on the advice that was given back in 2002/2003, but it probably has not come across that way in terms of things which have been said or things which have been put out in the public arena. There is more evidence that they have considered and taken on board that has not been put on the website. Q529 Adam Afriyie: For Professor Sasse and Dr Daugman, to what extent has the Biometrics Assurance Group been involved in the ID cards programme? Dr Daugman: It has just begun. It had an organisational meeting in November and a subsequent meeting in February, both of which were mainly briefing opportunities for us to be briefed by Home Office officials and affiliated scientists. Things are accelerating a bit more now. We have a set of sub-committees who are investigating particular challenges looking into, for example, security and spoofing and stability in biometrics and the NIR (National Identity Register) issues, so that is just beginning now. Q530 Adam Afriyie: So the answer is just two meetings? Dr Daugman: So far, yes. Q531 Adam Afriyie: And roughly how long were those meetings? Dr Daugman: Full day meetings, or three quarters of a day, and the next is next week. Q532 Adam Afriyie: Is your advice during those meetings given proactively, or are you reacting to probing from the Home Office? Dr Daugman: So far we have not formally given any advice at all. We have been getting briefs. Q533 Chairman: Angela, could you comment on that? Professor Sasse: This is correct. Also, I raised some questions in the briefing and they were followed up by the relevant members of the ID cards team who asked my advice on the trial they are planning starting towards the end of the year, so they did actually consult me subsequently on some of the points I raised. Q534 Chairman: Could I ask John and Edgar briefly, John in particular, given your involvement with iris scanning and the history you have with that, how can you be independent? Dr Daugman: I am an academic; I have been at Cambridge University for about 15 years since 1991; can intellectual work which has practical applications be deemed independent? I think so. Overall there are broad mathematical issues in decision-making under uncertainty, pattern recognition, fusion of evidence - all kinds of abstract questions about how you make decisions about someone's identity perhaps by searching a database the size of the entire country based on some biological data. Those are fundamental scientific and mathematical questions about which I have a lot to say, but having no financial interest in the technology I think I can claim independence. I will admit to an intellectual and scientific interest in the technology but no financial interest. Q535 Chairman: Would you agree? In terms of the independence of the advice of governments, that is the questions I am trying to get at. Dr Whitley: I think the raw scientific evidence such as, for example, was given in the supplementary evidence from the Home Office, we are not actually on that great a disagreement with. We both said that the number of real trials - the figures are here - for fingerprint trials the database sizes were in the millions, face recognitions in the tens of thousands and iris performance statistics from independent tests were limited to the hundreds. If that is the scientific evidence we have no disagreement with it. It is a question of, on the basis of that can you roll out biometric identification in the time scales and at the cost levels that the Home Office is intending. That is where much of the disagreement arises. Chairman: We will return to that. Margaret? Q536 Margaret Moran: We heard in the last session and, indeed, elsewhere that there seems to be a lack of clarity about aims and uses of the scheme. Would you agree with that? Dr Whitley: Yes. Professor Sasse: Yes. Dr Daugman: No. Dr Mansfield: Partly! There are some uses that I think are quite well specified. To the use of biometrics, for example, at the time of enrolment for an identity card to ensure that someone has not previously registered for an ID card using completely different identity details, that is reasonably well established so there is a fair bit of clarity there. Some of the other potential uses are less clear, but when we are talking about an identity management system for the future it is difficult to predict exactly everything which could be done in the future. That is why part of the uses are well-defined and some are not so well-defined. Dr Whitley: To give two quick illustrations, the first came out in the press a couple of weeks ago where Mr Burnham was saying it would be a good idea to have health information stored on the central database;[2] Mr Clark, responding to Simon Carr[3] said, and repeating what had been said in Parliament, health information will not be part of the database and will require primary legislation to introduce it. Now, if you are thinking of introducing that you had better get that down in the specifications for your system quickly, rather than five years down the line introducing a voluntary database that requires storage, processing, et cetera, et cetera. It is those kinds of things that certainly give me concern about the clarity within the system. Similarly on biometrics v PIN numbers. Mr Burnham said biometrics is great for assessing identity; other forms of authentication, such as PIN numbers and passwords, can be stolen along with a card so are much weaker at linking a person to an identity.[4] Again, the Government's scheme seems to be for large parts using PIN numbers to verify that this is your card, a point that was made earlier. Q537 Margaret Moran: We have been told in evidence that the technological architecture of the scheme is dependent on the business requirement. Do you agree with that, and you can give short answers. Dr Whitley: Again, it is not clear exactly what the business requirements are. There are Home Office business requirements but all the other government departments who are expected to link in have not yet got round to doing in detail what kinds of services, and whether it is cost beneficial for them to link into the system, et cetera. Professor Sasse: One of the benefits that the Government keeps returning to is that it would reduce benefit fraud. Now, if you look at the Department of Work and Pensions' statistics about how benefit fraud is committed you will find that well over 90 per cent is committed by people who do not lie about their identity. They are perfectly honest about who they are; they lie about their circumstances. So, that said, you would need a much more detailed proposal. Now, a strong identity might allow you to pick up more easily if somebody has several jobs or claims they cannot work, but you would need a much more detailed proposal to see how establishing a strong identity would help you to realise that promise. Dr Daugman: Certainly the technology architecture depends on the goals which are set. I am not sure I understand what is meant by the business architecture. If it means, for example, federated versus centralised databases then clearly that is an architectural issue. Q538 Margaret Moran: Has the Home Office communicated clearly throughout all the phases of this project? Dr Daugman: You mean publicly or privately? Q539 Margaret Moran: Both. Dr Daugman: Obviously privately we would not, in general, know the answer to that. In my personal experience, yes. Publicly I would say it has been less successful. Dr Mansfield: I would agree. Given that there can be so many misconceptions about how the scheme should work, would work, there are some problems with communication. Dr Turner: There seems to be a magical assumption that somehow the use of three biometrics will produce the result that no one has ever achieved before. Do you think three biometrics are necessary? Do you think that maybe in hitching the wagon to three biometrics we are setting up such complications for ourselves that the scheme may fall under the weight of its own over ambition? Q540 Chairman: Is it achievable, as well? Dr Mansfield: The different biometrics are kind of there for different purposes. I think if we have an identity document we would want it to look like a traditional identity document and, indeed, to be used as a passport within Europe. That implies it should have a photo on it which means you are collecting face biometrics. Also so you may be using finger prints as a primary biometric to establish a unique identity. Moreover, you may want a third biometric so that citizens that have an identity card, a wide variety of citizens, are able to biometrically prove their identity. If some people have difficulty finger printing, they can use iris instead. The fact there are three biometrics does not necessarily mean they have to be fused in a very complicated way and add a lot to the complexity of the scheme. Some of the things are there quite naturally; some are there to give an element of choice. Dr Daugman: The role of substitution opportunity is clear; some people may lack eyes or fingers. The fusion is a much more subtle issue because, if you combine a strong biometric with a weak one, for example, the face is a very weak biometric, in a certain sense you can end up with a performance that is intermediate between the two - in other words, averaged, in other words, inferior to what you would end up with had you used only the stronger biometric. Now, there are ways to fuse stronger and weaker biometrics to improve performance, that is a subtle mathematical point, but I believe as currently expressed the goals of the Home Office do not contemplate fusion but more substitution. Q541 Dr Turner: Is that absolutely clear, that fusion is not involved? Dr Daugman: I have seen correspondence from Katherine Courtney to that effect. For example, iris has the unique ability to make vast database searches without making false matches, but it is not necessarily the easiest to use. Face in a sense is the easiest thing to present; it is just not very discriminating; so to search for detection of multiple identities in the clean, new database register would be the main role for iris, not every time you want to use a credit card. You see, if you combine biometrics at decision level in a certain sense you are using either an "or" rule or an "and" rule. The "or" rule says you should pass either of my tests. In that case the false match rate gets worse; the false reject rate gets better. The "and" rule says you must pass both my tests. In that case the false match rate gets better, and the false reject rate gets worse. So there are subtleties about the two different types of errors that can be made in the biometrics and the desiderata of fusion schemes. Q542 Chairman: Do you basically agree, both of you, with that assessment? Dr Whitley: In terms of what? Q543 Chairman: That (a) we are not looking for fusion, and to be fair the Government has not said it is going to have huge technologies, but we are looking for three biometrics which give you alternatives within the recognition system. Dr Whitley: Except of course that if you are going to be using biometrics at the front line rather than for enrolment then saying you are going to have either finger prints or iris - probably not face - for a reasonable security risk, then that means you are going to have to have two different sets of readers which, again, has cost implications and practicality implications. Professor Sasse: For the individual it does have implications. If you have to enrol on three biometrics rather than one the enrolment time goes up. Also potentially I have seen in the past that particularly people who do not use the systems frequently easily get confused between face recognition and the iris system and they end up presenting their face to the iris system and vice versa. Q544 Dr Iddon: John Daugman, iris recognition is controversial, is it not? Dr Daugman: I do not think it is particularly controversial, no. There is a lot of misunderstanding about the eye. A typical argument against iris recognition goes as follows: the iris is part of the eye; the retina is also part of the eye; oh, look, here are some conditions and diseases that may affect the retina, therefore iris recognition will not work. That was the general thrust of the LSE objection to the scientific feasibility of the iris biometric, so clearly that is based just on an elementary misunderstanding about the parts of the eye. For example, cataracts affect the lens of the eye which is behind the iris and in front of the retina, so cloudiness of the lens and cataract would interfere with retinal imaging but certainly not iris imaging. That was one of several such elementary misstatements of fact that occurred in the LSE report and in the public and in the media. Q545 Dr Iddon: What about biological changes in women, for example? Dr Daugman: Yes. MPs have made a number of groundless statements, for example, that women who are menstruating cannot use iris recognition. Q546 Chairman: Excuse me, John. We made that assertion because we heard evidence in the US to that effect. It was not something that MPs made up. It was on the basis of evidence which we had in the US. Dr Daugman: I would love to know the nature of that evidence. I do not know what model of menstruation involves the iris. Likewise there are assertions that looking at an iris camera will give you an epileptic fit. These are speculations which have a history of rising in their credibility because what is introduced as a speculation in one report, or document, including US Government documents and the GAO report, become promoted to the status of facts in the next report, and --- Q547 Dr Iddon: Are you saying there is no scientific evidence for these biological changes? When a woman becomes pregnant, for example. It is not just menstruation. Dr Daugman: I have done considerable investigation into this question over the last ten years, the question does the iris change, and there is a lot of history I can tell you out there. There is currently no scientific evidence that I am aware of that supports the view that the iris changes over time. Now, there is a cult practice called iridology which is similar to palm reading, it claims to be able to assess the state of health of each organ in your body as well as assess your personality and your interpersonal compatibilities and, indeed, predict your future. That is, of course, hocus pocus and there are six or seven published scientific studies by medical groups that bothered to try to take it seriously and do double blind studies, and their articles are published in journals like the British Medical Journal and the Journal of the American Medical Association with titles like Looking for Gall Bladder Disease in a Patient's Iris. Professor Sasse: My title is Professor of Human-Centred Technology so if people are concerned about some of these issues then I will just turn around and basically say that there is no scientific evidence; it is hocus pocus, and dismiss it. In some parts of Europe there are parts of the medical establishment and there are certainly lots of people who believe in alternative medicine and found that it has helped them. Therefore, there are, of course, concerns basically that, if their iris image is stored in a database that the Government has access to, this might have implications, say, for medical treatment you can get or being selected or omitted from certain jobs, or whatever. I think it is quite hard, and not right to just go and dismiss these things. There is more of a process that has to take place. Similarly, I have spoken to some doctors who basically say that they can see changes in the iris. I cannot say they are right or wrong, but there definitely is a belief and it is not useful to dismiss these things out of hand. The other point is this confusion between the retina and the iris, which is something that is in the general public quite forgivable because they are both called a scan even though they are quite different technologies, and what the user sees is this light beam coming out of it, and they get confused and think their eye is being scanned, when all that happens is this beam illuminates the iris to make sure you take a good enough photograph. But I think the manufacturers of these systems do themselves a disservice by calling it a scan which keeps furthering this misconception between the two. Dr Mansfield: We have run evaluations of biometric technology and we have not observed any such thing with menstruating women or whatever, so it is unlikely to be a direct cause and effect. There may be other issues which are associated with a particular person which meant they had difficulty in using a particular iris scanner, or were in a bad mood and would not co-operate on a certain date, or whatever. So there is no reason why iris recognition technology should have such an effect. Chairman: It would not affect MPs! Q548 Dr Iddon: Tony, you said facial recognition was not a feasible option, yet the Home Office appears to be pursuing this line of inquiry. Why? Dr Mansfield: We said face recognition was not a feasible option for identifying one person in the national population, and that is fairly obvious when you consider identical twins, where one would appear very similar to another. But if you have a passport you are expected to have a face image on the passport to meet with international requirements, if your passport is going to be usable. Therefore, it is natural that faces would be collected and would be one of the biometrics within an identity card scheme. Q549 Dr Iddon: Angela, we have not mentioned so far this morning the societal impact of any scheme that might be introduced with identity cards. Do you think the Home Office has done any or even sufficient research on the societal impact of an ID scheme? Professor Sasse: I think they did become aware of the issue during the Home Affairs Select Committee investigation. There were basically several submissions that pointed out that there is a certain part of society where people have complicated lives, that there are people who could not very easily go to enrolment centres and so on, so, yes, they certainly did start to engage with that issue. I am not sure that really in every detail the impact on various individuals in society has been considered thoroughly enough. Dr Whitley: I have just a quick illustration. At the Westminster e-Forum meeting on 14 February there was a speaker from a mental health charity[5] pointing out that if you have mental health problems and schizophrenia[6] and are concerned about government, being forced to enrol in a government-controlled database is clearly not going to be very beneficial for you. Q550 Dr Iddon: So what do we do about this? Professor Sasse: Similarly another example is that doing the UKPS trial it became quite clear that certain groups of disabled people have significant problems with some of the technology, but I have just been approached, for instance, by the RNIB who say that from this report they cannot work out what exactly the reasons for it are and yet this charity, for instance, is not able to investigate in more detail exactly what the problems are and how the systems should be developed. So there is a bit of a lack of depth and a lack of following-up on problems that have been discovered to see how they could be overcome. Q551 Dr Iddon: So is anybody pursuing any research in this? Dr Mansfield: From my current involvement with the ID cards programme, I am aware that some of these problems are being followed up. Q552 Chairman: By whom? Dr Mansfield: By the Home Office. Dr Daugman: I am working with three ophthalmology groups investigating those questions about whether individuals who have visual impairments have difficulty with iris recognition. Those are the RNIB, the Manchester Eye Hospital and the Edinburgh Eye Hospital. I have arranged for equipment to be made available to them so they can conduct that research. Q553 Dr Turner: Can you give me your views, please, on the risks involved in this project, and do you think that the Home Office has considered them seriously enough? Dr Mansfield: In 2003 I was at a risk workshop[7] at an early stage looking to try and identify the risks and possible mitigations. It is certainly well aware of the risks and is identifying and trying to manage risks. The risks I would say are probably because it is a very large project, a very large procurement, of which biometrics is just one small part. There seems to have been a focus on the biometric element as being the most technical and perhaps least understood element of the whole scheme, and to my mind assuming that is where all the risks lie is totally incorrect. Dr Daugman: In April of 2004, about two years ago, an important study called The Challenges of Complex IT Systems was published by the Royal Academy of Engineering in co-operation with the British Computer Society. That is a substantial document that tries to understand both why complex IT systems have in the past sometimes failed and it also charts the progress internationally of the failure rates, which have improved quite a lot in ten years. That document, together with other significant documents on risk assessment, is a big part of the brief that has been given to the members of the Biometric Assurance Group. Q554 Dr Turner: Presumably there has to be a risk that biometric data can be falsified, or at least stolen and attributed to the wrong person, especially if a successful potential hijacker, for instance, were to hack into the database. How certain can any of you be that those highly dangerous risks cannot happen? Dr Daugman: CESG within GCHQ have a substantial research programme in this area. I am assisting them in assessing the security risk. You have to distinguish between two kinds of replay attacks; the digital one, which involves hacking into the database, trying to steal or decrypt a secret part of the database, and the other is an analogue replay attack by putting on a latex gummy finger print, for example. Those have different counter measures associated with them. Briefly, the risk of digital replay attacks are essentially those of cryptographic code-breaking, so they have encryption protocols which have been well established for decades now, particularly DES3. Those are certainly no greater than the risks of security communication, and incidentally with some biometrics you can permute the bits, or the bytes, of the data so that a given stored iris code has no value tomorrow or next month, or indeed one minute from now, because there are ten to the 507th power different permutations of the data, provided that the same permutation protocol is followed at the hosts, as at the database. Essentially an iris code as a digital set of data becomes of no value, if it is stolen, it has no value after the next permutation. I would say there is greater vulnerability, substantially, to analogue replay attacks, for example, wearing a contact lens which has somebody else's iris pattern printed onto it, either for concealing your own identity or impersonating another identity. I regard that risk as probably the weakest point of that particular biometric. There are eight or ten physical methods as well as software methods that have been developed to detect false patterns on the surface of the eye as opposed to the iris pattern. The true iris lies inside the eye; the pupil is always moving; the iris pattern is stretching as the pupil moves - there are six or eight physiological as well as other photonic counter measures but most of those are unproven, they are assertions of principle, and that is going to be one of the main elements of testing and assessment in the forthcoming year. Professor Sasse: There are a lot of different ways of attacking a system and it might be quite difficult to mount such a technical attack but, on the other hand, bribing somebody to store my biometrics against a different name is fairly straightforward, so what you have to do is the entire socio technical-system. That is, the identity card system has to be engineered and operated to an extremely high standard, not just of technical assurance but also of behaviour and monitoring and auditing of all the interactions that take place with a system. The problems that have happened in the past are simply because the wrong person's name has been entered against the wrong biometric. There have been several cases of false arrests in the US, and you may remember the Brendan Mayfield case, so these kind of things happen and I think you have to consider there are many different ways of how you could try and attack and misuse the identity in a system, and that it is quite a complex exercise. I think any security professional will tell you that you cannot guarantee that a particular risk will actually happen; all you can do is mitigate the risk to the degree of the resources you have available to do it. Q555 Chairman: Do you agree with that? Dr Whitley: Yes. In terms of the risk it is broader. There is a very practical risk that the IPS is only piloting the recording of fingerprints from late 2007[8], and the scheme is supposed to be up and running in 2008/2009. If that piloting reveals more problems than the roll-out scale that they are talking about, and I think they are talking about up to 50,000 enrolments a day, so if there are any practical problems there are risks there. There are the security risks, the lack of specifications, the central database rather than a distributed one, all those kinds of things, and there is also the risk that Ministers seem to be want to be rushing the scheme for political reasons. They want enough people to be on the scheme so if they do not win the next election the Conservatives will have a much more difficult case for cancelling the project[9]. And, again, rushing projects makes things go wrong. Q556 Adam Afriyie: In the US, United Arab Emirates, Hong Kong, Philippines and Belgium, I think, there are various different ID card models. To your knowledge, has the Home Office investigated these various international models and, if so, have they learned the lessons that other nations have learned? Professor Sasse: Yes. I think they have taken great effort to look at other schemes that are in operation and to learn as much as possible from them. However, as a scientist I have a slight problem with some of that in that in several of these schemes there are no proper controlled observations available, so what we will be getting is a statement from the Government saying, "We will give you the exact figures for the UAE. They have operated these schemes for these persons, they have made so many successful arrests", and they will claim that no person in the database has managed to enter the United Arab Emirates. Now, if you managed to beat that iris scanner and managed to get into the United Arab Emirates - it is a claim that is very difficult to verify! There have been no observed, properly controlled trials where we would have the figures that we can work on. We basically have to take on trust what they are saying. Also, what you have to consider is that systems operate in a particular social and cultural context, and the social and cultural context in those countries may not be exactly the same as in the United Kingdom, so certain behaviour that might be required from the citizen user in order to make the systems operate that may be perfectly acceptable there may not be acceptable to the citizens of the United Kingdom, and that aspect has not been looked at in a great amount of detail. Q557 Adam Afriyie: My experience echoes yours. I was in Dubai recently and I did not see any piece of equipment anywhere scanning anything --- Dr Daugman: That is because you did not require a visa to enter. It is only for foreign nationals who require a visa who are submitted to the iris camera. And, by the way, about 1 million iris codes have been enrolled in that deployment, and about 8 million in Andhra Pradesh in India in a welfare scheme, so the total number of iris enrolments is now around 10 million --- Dr Whitley: I was simply quoting from the Home Office submission. That is all. Q558 Chairman: But the point Angela was making is it is hard to verify the effectiveness of these schemes. Dr Mansfield: In the schemes which are operating somewhere else using biometrics one of the things we know is that the environment, the population that is using the system, have a strong influence on the performance and the way these systems will work, so it does not matter how closely we look at other large schemes; it does not necessarily tell us exactly what would happen with biometrics on the United Kingdom scheme and, as Angela pointed out, the operational data is not quite the same as data in cold circumstances so one has to interpret what one finds out. Q559 Mr Devine: I think I know the answer to this but has there been a lack of open, informed debate regarding this scheme amongst the public? Dr Daugman: I think I have answered that! Dr Mansfield: It is open but not terribly well informed. Professor Sasse: Yes. Dr Whitley: Yes. Q560 Mr Devine: Do you agree with the evidence we have received which says the public discussion of scientific issues, both social and technological, relating to identity cards has been of poor standard? Dr Mansfield: Yes. Dr Daugman: I am the author of that sentence, so of course! Professor Sasse: It has been of a poor standard but I would have to take issue with the author. With all the respect I have for Dr Daugman, I would say this is not something that can be pinned on the LSE. I think the Home Office itself, in my view, was guilty of this by basically, when they started their first opinion polls on the matter, putting forward this agenda of things that would be fixed through the introduction of an ID card without any clear analysis, and I think they were quite cynically pushing certain buttons they knew would work - illegal immigration, organised crime, terrorism - and basically promising, "If we introduce the ID card it is going to deal with all of these problems." Q561 Chairman: In terms of the public debate surely the LSE report, which you were both involved with, has dominated much of the public debate. Has that been a good thing or not? Dr Whitley: It certainly has informed much of the debate. Do not forget --- Q562 Chairman: With heat or light? Dr Whitley: Hopefully with useful contribution! It is a 300-page report. Just as one aside, it is portrayed as being this completely off-the-wall, completely bizarre set of results. We had a look at the conclusions of the Home Affairs Select Committee and the conclusions of our own report, and 71 out of 94[10] of those conclusions we either strongly support or conditionally support, so it is not as though we are saying strange things; we are just presenting different sides to the argument. The glass is half empty rather than half full. Q563 Chairman: Angela, do you remain faithful to the report? Professor Sasse: I do not agree with every single detailed point in it but it was a valuable contribution and I have been quite astonished by the way in which the Home Office reacted against the report because the intention was to seek a constructive debate and unfortunately it did not quite work that way. Dr Whitley: More generally, I think the way the Home Office reacted to the LSE report has very worrying implications for the way independent academic advice is presented in the future. The kinds of abuse we have received, ad hominem attacks from Home Office ministers, from the Prime Minister all the way down, is going to make academics very reluctant to stick their heads above the parapet and say, "I think Government is not right in this", or that there are different opinions that need to be taken into consideration. Q564 Mr Devine: Do any of you think this can be rolled out in 2009, considering we are now halfway through 2006? Dr Whitley: I have real doubts that it will roll-out successfully in that timescale unless either costs are increased or significant compromises are made about the implementation of the system. Q565 Chairman: Would you all agree to that? Professor Sasse: A lot will depend on the next trial that is being planned. Dr Mansfield: I cannot say that the Home Office have particularly said, "It will roll out in 2009 no matter what." There is a lot of water to go under the bridge in terms of what happens during procurement, what happens in terms of trials, what happens in terms of roll-out activities, so time will tell. Q566 Chairman: John, do you support that? Dr Daugman: Yes. Q567 Adam Afriyie: So we would not bet our salaries on the project being delivered on time. Can I offer another wager? Would you bet that the estimates of cost from the Home Office will be met? Dr Daugman: Which are the--- Q568 Adam Afriyie: The £584 million a year. Dr Daugman: Well, I am sure the cost will lie somewhere between that and the £19 billion that the LSE estimated. Q569 Adam Afriyie: It is not a spread bet! Dr Daugman: The roll-out is quite incremental and phased over three or four years. I have seen 2008 and 2011 with a gradual attachment to passports, so it is not a D-day event. Q570 Adam Afriyie: Is everybody else happy with the Home Office costing of the project? Professor Sasse: We have not been given enough detail to really check the validity. Dr Whitley: To be absolutely clear the £584 million is the average annual running costs to the Home Office alone, not the set-up costs and not the costs to other departments. On the basis of no technology trials or limited technology trials and specifications still being changed I just cannot see how they can be so clear that it is £584 million. I think Mr Clarke said it might actually go down[11] and Mr Burnham said that despite a year from that initial figure being released and more information being gathered, overall the figure has not changed.[12] I cannot see how that figure can stand in the future. And, just for the record, the £19 billion was our upper limit. We provided three sets of estimates, low, medium and high, and the £19 billion is the high limit of a worse case scenario, where lots and lots of things do not succeed in the way the Home Office would expect. Q571 Dr Iddon: This morning we have seen "If this, if that". How on earth can you even stab at £10.6 billion or £19.2 billion when you do not know what the Government's intentions are? Dr Whitley: We provided detailed appendices where we go through a whole series of line items for the kinds of things we expect based on the architecture as was made publicly available in various Home Office documents, so it is our best guess based on very limited information. Q572 Dr Iddon: But has it not been irresponsible because it has thrown the debate against identity cards? Was it not irresponsible to stab at such a high figure when you have not got the evidence to support that figure? Dr Whitley: We provided three figures, a low, a medium and a high, based on our assessment of the likely cost elements of that. If it is irresponsible to introduce to the debate that there might be other ways and other things that need to be taken into consideration, I do not see it as being irresponsible. Dr Iddon: It has thrown the debate against the ID cards in a lot of circles, that is the problem. Chairman: I am going to leave that line of questions but I would like to bring Brian back to a question we missed about the technology trials. Q573 Dr Iddon: In March, Tony, you wrote: "All systems need improvement". What exactly did you mean when you wrote that? Dr Mansfield: This was in the context of the report I did reviewing the UKPS trials last year. The UKPS ran a pilot; the pilot was mainly looking at the process issues and user issues in enrolling people for the three biometrics, iris, finger print and face recognition, and the performance figures that were obtained were not terribly good for those technologies mainly because of the nature of the trial. The trial was not devised as a performance trial but it illustrated that if you just buy off-the-shelf systems and deploy them with no adaptation to the ID cards programme the performance would not be terribly good, so my comment there is to say that if the results had been reported then there should be a recommendation that there needs to be improvements to the technologies, because clearly the performance was inadequate in that trial. Q574 Dr Iddon: So what trials are you believing are necessary now? What would you recommend the Home Office to trial, and how? Dr Mansfield: The kind of trial that I would like, and it probably goes back to earlier than that particular report, back to the Feasibility Study 2003, would be some trial where the Government or the Home Office is working with industry to try and deliver the best possible performance and address the performance issues that get identified in some of these larger trials, for example, the issue with people with disabilities. Chairman: Thank you very much indeed for an interesting session. [1] The LSE Identity Project Response to Dr Daugman's submission is available at http://is2.lse.ac.uk/IDcard/default.htm [2] The Sunday Times, April 23, 2006 'Labour U-turn over ID card medical details' available at http://www.timesonline.co.uk/article/0,,2087-2147744.html [3] Available at http://press.homeoffice.gov.uk/Speeches/hs-letter-simon-carr?version=1 [4] Answer to Parliamentary question 4167 19 July 2005 [5] Jane Harris, Senior Campaign Officer, Rethink. Presentation in Westminster eForum 'Implementing ID Cards' report, ISBN 1-905029-31-4 [6] Note by the witness: I misspoke here; I meant 'paranoia', rather than 'schizophrenia'. [7] Note by the witness: Entitlement Cards Risk Workshop, 6 March 2003, Home Office [8] Page 31 of PDF of UKIPS Corporate Plan 2006-16 available at http://www.passport.gov.uk/downloads/IPS_Corporate_Plans06.pdf [9] Jean Eaglesham and Maija Palmer, 'Labour races to introduce ID cards', Financial Times, April 17 2006 [10] Note by the witness: I misspoke here; the actual figures are 79 out of 91. [11] HC Deb, 13 February 2006, Col 1119 [12] HC Deb, 27 February 2006, Col 90W |