24. Memorandum submitted by
the Institute of Electrical Engineers
The Institution of Electrical Engineers (IEE)
is the largest engineering institution in Europe with a membership
of some 130,000 professional engineers who represent key sectors
including electronics, communications, computing, energy, manufacturing,
and transport. Many of our members have experience in the practical
issues involved in developing complex databases. Members have
also been involved in the design, acquisition and management of
trustworthy and dependable information systems. We therefore welcome
the opportunity to submit evidence to the House of Commons Home
Affairs Committee inquiry into government proposals for an identity
Essential requirements for a biometric identifier
database include: establishing the identity of the person giving
the biometric to a high level of assurance; ensuring that the
stored biometric cannot be tampered with, even by organised criminals
with substantial resources; and ensuring that the equipment that
reads the individual and compares with the stored biometric has
a very low rate of both false positive and false negative errors.
In this context two issues should be addressed.
Firstly, if an individual's biometric data is
compromised either by accident or as part of an identity theft,
the damage to the individual could be substantial. The Committee
should seek information on the mechanisms and compensation schemes
that would be introduced to ameliorate this damage. Secondly the
Committee should investigate the cumulative error rate from each
element of the system. It should then consider whether or not
this is acceptable as a daily failure rate at (for example) benefit
offices, ports and airports, and other high-volume locations.
Whilst the security and integrity of the database
are paramount, so too are considerations of integration between
the ID system and other databases that hold personal information.
For instance many organisations already have access to an individual's
credit rating, and many sectors (for instance insurance) share
information. At the moment these information systems and databases
are merged and linked without much regulation and are therefore
open to misuse and abuse. Unregulated access to the ID system
would in our view be unacceptable and place its integrity at severe
risk of compromise. It is also inevitable that attempts will be
made to access the database either for improper purposes or to
modify it for improper reasons. Therefore the most stringent measures
and precautions must be put in place firstly to deter such activity
(including the necessary legal instruments), secondly to detect
a potential compromise "as it happens", thirdly to protect
the system "in real time", and fourthly to react to
restore the integrity of the system. The Committee should inquire
as to how these requirements would be achieved.
Of equal concern to the security and integrity
of the systems are the issues of trust and risk. There continues
to be much adverse publicity about the alleged shortfalls of the
information systems and databases that are at the hub of the child
maintenance and support arrangements, and the child and working
tax credits schemes. These apparent systemic failures have significantly
degraded public confidence to the extent that it is clearly not
necessary to actually subvert a system to undermine its trust.
Whilst a lack of trust in the examples quoted is felt by a "relatively"
small number of people, if replicated across an ID system that
is used and depended upon by the whole population, it would have
a catastrophic impact.
There are well articulated public concerns related
to the introduction and subsequent management of an ID card system,
and both social and technical issues that need to be explored.
The Committee should investigate how these issues are to be tackled,
and how policy makers will broaden their range of thinking to
better inform the debate. This should in our view include appropriate
social and technological research, and rigorous system prototyping
with public involvement, all of which would require resources
The "flip side" of trust is risk.
The ID system would by its very nature be a high risk project,
and risk management options would include: avoidance of the risk
by desisting from that activity altogether; mitigation of the
risk by introducing controls on the activity; transfer of the
risk by insurance or by contracts with third parties; and acceptance
and management of the risk. Whatever risk reduction strategy is
agreed, it is essential that decision makers demonstrate their
understanding of the delicate relationship between trust and risk,
and reach a balance that is acceptable not only to government
but also the general public.
Various claims have been made for the efficacy
of ID cards in reducing crime, benefit fraud, illegal immigration
etc. Various counterclaims have been made that ID cards are used
to oppress minority groups. There are many countries in the world
that have ID cards and many that do not. We suggest that an independent
analysis, free of commercial or political pressures, is commissioned
to evaluate the various hypotheses about the effects of introducing
ID cards by comparing the situations in other countries. This
simple, low-cost exercise should be an absolute requirement before
any money is spent on implementing a scheme in the UK.
It is likely that any scheme would involve a
central database of biometric details correlated with individual
names and addresses and other personal data. Research has shown
that some categories of individuals (racial groups and people
with certain medical conditions) have a higher failure rate with
certain biometrics. The Committee should consider how the operation
of a proposed ID card scheme would be made non-discriminatory,
and seek scientific evidence as to which biometric is most likely
to achieve that aim.
The Government does not have a good success
rate in achieving large computer-based projects either on time
or within budget. One of the reasons for this poor record is that
companies and consortia chosen to deliver the solutions all too
often fail to draw upon the best software engineering and computer
science knowledge. Therefore, unless the traditional procurement
process is to be radically revised, it is almost certain that
the project will overrun badly, or fail. The cost analysis for
the project should be based on typical outcomes of other complex
projects, not on stand-alone estimates that invariably assume
over-optimistic development and performance achievements. It is
also essential that costs include assessments of the balance between
trust and risk, that funds are made available for independent
studies into the effects of introducing ID cards, for social and
technological research, and system prototyping. The Committee
should probe deeply into the basis of assessments for project
time, cost and performance, and the options not only for development
and procurement, but also operation and support.
In addition to representing the views of the
IEE, this reply takes account of general comments from the UK
Computing Research Committee (UKCRC) (printed at EV 265-269),
an expert panel of the IEE. However, because of their expert knowledge
in certain areas of interest to the committee, the UKCRC has prepared
a separate reply. A copy is enclosed for reference and whilst
their response is complementary to the IEE's, their views do not
necessarily reflect those of the IEE as a whole. Should you have
any further questions, I would be happy to discuss them with you.
The IEE could also provide an expert group to help you with your
inquiry and any future work.
Dr Nicholas Moiseiwitsch
Head of Engineering Policy