Memorandum submitted by Daon (UKB 2)
Public Bill Committee: UK Borders Bill
Daon welcomes the opportunity to make this submission to the Public Bill Committee, The primary purpose of this submission is to discuss the operational considerations for the use of biometrics in relation to the UK Borders Bill (the Bill) and wider e-Borders. A secondary purpose is to discuss some of the significant challenges and tradeoffs involved in satisfying these types of requirements.
Daon has considerable proven international experience in the use of biometric identity assurance. For example, Daon is at the heart of the US Registered Traveller programme which provides an example of Public Private Partnership to improve the travel experience through US Airports based on the use of Biometric technologies. We also manage the Government of Qatar's civil ID card programme and assist the Australian Government with core biometric identity assurance software in the areas of Immigration and Border Management.
Similarly, in the UK Daon provides an easy-to-use staff identification system at London's City Airport using each employee's fingerprint biometric to control access to restricted areas of the airport - over 4,000 authentications pass through the system every day.
Daon is happy to provide further written and oral information to the Committee should you require it.
2. Overview of this Document
The document describes a number of operational considerations and provides recommendations on how these considerations can be translated into requirements in the use of biometrics.
The operational considerations detailed below are:
§ Operational Considerations
§ Multi-Modal Biometrics
§ Biometric Error Rates
§ Security and Privacy
§ Biometric Standards.
3. Operational Considerations
The environment in which the UK Borders Bill proposals will be developed and operated has a profound impact on the operational requirements. On a technical level, this means that emphasis should be placed on ensuring that the biometric immigration document can easily integrate with a wide variety of systems, whose interfaces will vary in terms of technology, standards, and functionality. However, the more profound impact is that multiple stakeholders and multiple systems greatly complicate the derivation and validation of system requirements.
4. Multi-Modal Biometrics
Several factors strongly mandate that the biometric immigration document be a multi-modal biometric document. No single biometric today is sufficiently universal that every individual can be enrolled and matched using that single biometric. The use of multiple biometrics (e.g., finger, face, iris) provides a means for virtually every individual to be enrolled and processed using at least one of the biometrics.
Second, operational labour is a significant consideration when computing the true cost of ownership for this type of system. Previous studies about the use of biometrics in border management situations suggest that secondary processing of false rejections during primary processing can drive the operational labour. Reducing error rates at primary and automatically processing a high percentage of the referrals to secondary can significantly reduce operational costs. Multi-modal biometrics offer several potential ways to do this.
Third, the availability of multiple biometrics offers future flexibility at points of service. Identity checks can occur in a variety of environments and be used for a variety of different purposes, as systems such as e-Borders are deployed and integrated. It is unlikely that a single biometric modality is the optimal answer for all these different usage scenarios, and multiple biometrics offer the future flexibility to use the mode that is best adapted to each situation.
Fourth, multiple biometrics can have a positive impact on security. Multiple biometrics provides the opportunity to improve accuracy, avoid "false acceptances", and minimise the number of "exceptions" that must be processed manually. In general, manual processing of exceptions is normally the weakest link in the security chain for biometric systems.
5. Biometric Errors Rates
As with all pattern matching techniques, biometrics are not fool proof. Two biometrics from the same person may fail to match (a "false negative"). Conversely, two biometrics from different individuals may appear to match (a "false positive"). When dealing with large enrolled populations and high volumes of transactions, these error rates become a critical operational consideration.
6. Security and Privacy
Security and privacy are two additional factors that are critical to public trust and acceptance. This means insuring the privacy of biometric data and securing the system against unauthorised attempts to alter data or disrupt operations.
There are many recent examples of personal data collected on a government system being accidentally or maliciously disclosed. There are also many examples of laptops being stolen that contained volumes of personal data collected by a government agency. All of these types of incidents undermine public confidence.
A mechanism that protects against either accidental or malicious disclosure is required. It is recommended that personal data such as biometrics be strongly encrypted and that the keys be afforded a corresponding measure of protection. Then, even if the physical media upon which the data is stored were to be misappropriated, the data will be secure from all but the most sophisticated and costly attacks.
Similarly, the public trust depends on ensuring that collected data is not subject to attack by hackers or cyber terrorists. While security standards are commonly employed on many IT systems, the world of biometrics has been relatively slow to require them. This is because many of the technology components that comprise the industry were developed before complex "systems of systems" began to evolve using biometrics and before such standards became de rigor. This is why it is critical that any core framework be required to comply with mature security standards such as Common Criteria.
7. Biometric Standards
There are trade-offs associated with standards implementation - interoperability is not always free. That is, a gain in interoperability and interchangeability may sometimes be at the expense of a loss or degradation somewhere else (performance, low-level control, etc.). The flexibility given by the cross-vendor support of a standard may come at the cost of losing the optimised performance of a proprietary solution.
Therefore, it is critical that the architectural approach taken insulates the solution from evolving standards capabilities and eases their adoption as appropriate over the life of the programme. That is, it should enable proprietary interfaces and open standards components to be mixed and matched. Additionally such a layer of abstraction will facilitate the evolution to more standards based compliance as the appropriate standards mature and vendor support improves to balance the cost benefit equation.
Standards are important, since their adoption will reduce risk during the implementation of the systems, though providing interchangeability and interoperability. Standards simplify integration, support simpler upgrades of technologies, and reduce "vendor lock-in" effects. This can lead to a broader range and availability of products and movement towards commoditisation.