SUMMARY

  1.  The justification for a national ID Card Scheme should not be constructed around law and order, identity fraud and illegal migration and working. It should instead be centred on the benefits to a digital society of the use of biometric authentication of registered identity. One of the benefits is that it will address all the points made as the substance for justifying the ID Card Scheme in the Consultation Paper. But it will do much more as well.

  2.  A Biometric Authentication enrolment scheme should ensure that every UK citizen has their identity registered with a central repository—suggested as a much enhanced Public Record Office, not the Home Office, in order that harmony is created with births, deaths and marriages (existing systems) and the Census- and then they carry on them their biometric authenticator in a form that is low cost, highly reliable and portable.

  3.  The PRO Register needs to be subject to open scrutiny by independent watchdogs, and access by other Government Departments in pursuance of criminal investigations only achieved by supervised and legislated warrant, the whole system being regularly audited.

  4.  Establishment of the biometric authenticator is a one to one enrolment system using technology that is low cost and future proof. The key is data storage which should be as independent of networks as possible—the individual carries their biometric authenticator with them, possibly on a card or other medium—thus overcoming civil liberty fears and allowing greater conformance to data protection legislation. The two media suggested are 2D Barcodes (particularly the PDF417 standard) and memory sticks.

  5.  Lastly, biometric authentication can be used to enhance the security of society by using it to "shape the security space", providing intelligent means to target limited security resources where they are most needed.

1.  THE NEED FOR IDENTITY

  1.1  There has always been a need to register the existence of the population. Identity, certainly Existence, is registered when we are born and the end of our Existence is formally recognised when we die. Both use certificates that are kept by individuals but recorded by the Government. Establishing identity is a process that is well practised. The challenge has come through authenticating that identity in a way that is irrefutably that person. In the analogue world of paper and manual processes this was achievable, normally by producing a birth certificate and a witness signature. However, as society becomes more and more digitised, the need to authenticate individuals to allow them access to benefits that are profitably offered through digital means, quicker and more automatic, has found that analogue authentication processes (passports for instance) are inadequate and create vulnerabilities in the digital society.

  1.2  As society becomes more digitised and reaps the benefits of a higher quality of life it is important that the existing processes for recording Existence in society, which are well proven and well established, are equally digitised and secured. Whether the output of this updating is an ID Card for all individuals over the age of 16 is not the issue. That there is already a central database where details of UK citizens (and potential citizens) is held—The Public Records Office—counters the argument that UK needs another Home Office National ID Register. The answer has to be to improve, by secure digitisation, the database that already exists and enhance, as necessary, to cope with asylum seekers, visitors, travellers and the like.

  1.3  Identity in a digital environment is of paramount importance, mainly because nearly all the processes are automated with minimal human involvement. Hence those people who are involved in the system trust it implicitly. There is little margin for doubting that the process can make mistakes; losing one's identity could be catastrophic. The Public Records Office should be the guardian of all identities in a digitised society. It needs to be independent of all other Government Departments and only share identity information under carefully controlled legal circumstances—legal warrants served by the judiciary based on documented evidence of investigation. Under no circumstances should identity information be shared unless it is in relation to a current investigation. Mechanisms for arbitration, ombudsman, audit and scrutiny by independent panels need to be in place to enable the public to trust such a National Identity Guardianship.

  1.4  The concept of a National ID register held by the Home Office is too narrow and short term in its purpose and driven by passing events, not fundamental principles.

2.  THE NEED FOR AUTHENTICATION

  2.1  Having established an identity and had it registered with the State, the individual should now be free to use the authentication of that identity to their advantage. The digitised society allows this: faster processing in airports, faster cash withdrawal, faster purchasing on the internet, better quality of life. There is almost no part of society that does not lend itself to improvement (and profit) by digitisation. The vendor is not particularly fussy who he sells to but, particularly with money information (credit cards), he has a duty of care to ensure that he is selling goods and taking money from the person purported to be buying. Hence it is in his interest to establish identity. This is done by authentication (also known as verification).

  2.2  Authentication in reality provides the permission for the individual to access whatever it is they wish to access. The platform for the authentication (be it a card or other means) is merely a permit. Hence the Consultation Paper was probably correct to move away from the concept of Entitlement Cards—authentication provides no entitlement—but ID Cards may suffer from an equally negative stigma. Having an Authentication Device providing permission to benefit from the digitised society is actually what is being discussed.

  2.3  Authentication is not yet a technology that allows "certainty". In fact it never will. It can only provide a high probability that the individual is who they can show they are. At the moment, the best authentication systems in general use are semi-analogue—Personal Identification Numbers or PINs. These are grossly inadequate. Short term measures are being introduced to enhance these systems but the only system that has the highest probability of first time authentication of identity is the use of one or more biometrics.

  2.4  Authentication is a one to one enrolment and verification process. Many of the authentication techniques, particularly facial biometric, that were introduced in the late 90s were designed for one to many identification. This is an entirely different goal and was originally developed to find football hooligans. The stated intent in the Consultation Paper to be able to find an unknown person in a Register of 50 Million is doomed to failure, as the system in Newham has shown and as the analysis by the Wall Street Journal of the facial one to many scan of the SuperBowl in 2000 also proved.

3.  THE NEED FOR AND TECHNOLOGY OF BIOMETRICS

  3.1  Unique signatures that can only belong to one person allow for a high degree of probability that that person is who they say they are. Fingerprints have been in existence for many years and fitted the analogue authentication processes well. In today's digital domain fingerprints suffer from high false acceptance rates and a social stigma in some cultures, notably UK ("only criminals have their fingerprints taken, don't they?"). A biometric has to have high fidelity and be least intrusive to the individual. It must also be low cost and impact on the existing infrastructure as little as possible. Any society that adopts a biometric for authentication must also allow for technology improvement.

  3.2  There are three processes that must be satisfied in terms of cost, fidelity, intrusion and infrastructure impact in the biometric process: data capture, data processing and data storage.

  3.2.1  Data Capture. For Authentication of identity this has to be a one to one enrolment. This might be by putting a finger on a sensor, putting an eye in front of a laser or just looking at a camera. In the future it might mean no more than walking through a lighted area (to capture the unique hyperspectral reflection off the skin), walking past a hidden radar (that will characterise the unique thoracic cavity signature of each individual). The goal must be to make data capture as seamless and transparent to the individual as possible, not just for civil liberty reasons but also for commercial reasons of keeping the "Customers flowing".

  3.2.2  Data Processing. This is the biometric technique itself. It will probably be a software algorithm but it needs to be fast and the "template" needs to be small—probably no more than 500 bytes. Its fidelity must be such that the probability of a correct authentication is what is known as the five 9s—99.999% probability. This figure is taken from telecommunication availability statistics for the domestic customer before they complain about lack of service. The science and research into biometrics is only really beginning and systems that adopt authentication biometrics must accommodate the future.

  3.2.3  Data Storage. This is the key to any biometric authentication because it determines the authentication platform and a whole lot more. There is an automatic tendency to believe that biometrics need to be stored on "smart card" chips. These are very expensive. There are better methods that allow much more usage of biometrics to provide authentication permission. The principle has to be that the data storage device is portable. One method that has stood the test of time and usage and very common in the US is the 2D Barcode. There are many standards but the most used is the PDF 417 standard patented by Symbol Technologies and put into the public domain. Symbol is one of the world's leading scanner manufacturers. The 2D barcode can store the biometric template, personal details, even a picture with suitable compression techniques. A typical 2D barcode on a credit card can hold over 1300 bytes of information. The Barcode can be printed onto almost any material. To read it merely requires a supermarket scanner. It costs fractions of a penny to print. Near future storage devices include the memory stick that can hold, almost in its "giveaway" form, 1Mbyte of information. This needs a USB connection to a reader to read but obviously holds much more information. The key is to make the data storage device simple, usable, low cost and portable. Smart cards are not the answer. Neither are £30 chips in passports.

4.  THE BOOST TO SECURITY

  4.1  The Public must be assured that all and any data is properly secured and seen to be secured. This is not just about data and cyber security but also about open processes and open scrutiny of the processes to safeguard identity records.

  4.2  However, there is also a need to use authentication of identity as a way to enhance security in society in general. Security in this context includes safety. All the individual needs is to carry their biometric authentication. This may indeed be on a card, but could equally be a printed barcode on their passport or visa, or a variety of devices. The point being that only that person with that biometric authentication can gain access or show that there is a high probability that they are who they are. The conclusion is that there are a variety of options for the individual to carry a biometric authentication device, be it an ID Card or other identity document. The individual should not be limited to just one form of biometric authentication ("Excuse me Sir, do you have some form of biometric authentication on you that conforms to the Governments stated standards?")

  4.3  There are many other positive benefits to every individual carrying biometric authentication including, but not limited to, those that constitute the central argument in the Consultation Paper. Here are just some:

  4.3.1  Single Sign On. This is the Holy Grail of all digital systems—one authenticator for access to all digital systems. The Single Sign On could be from Kerb Side to Sensitive Document Access; the individual uses their biometric to enter the building where they work, to access the lifts and gain access to secure areas, to log on to their work stations, to access only those documents they have permission to access. Biometrics on workstations could continually monitor the individual and, if they leave the station, log off. Any physical intrusion would not work (wrong biometric) but the intrusion would be recorded pictorially. In essence the person and their biometric authentication act similarly to a Public key Infrastructure, whereby access is only gained when two parts of the "key" come together. The elegance is that the "key" is a biometric feature owned by the individual and that the "certification" is immensely more simple, held in the Public Records Office.

  4.3.2  Error Reduction In Hospitals. This is one of the highest concerns in the US where errors run at about 25%. Figures in NHS are not known but might be just as high. Simply the biometric for the patient is held on their wrist tag (barcode) and the doctor checks that he has the right patient before taking whatever clinical procedure was decided (medicine, surgery, dispensing medicine).

  4.3.3  Children Ward Security. Clearly biometrics do not work for babies and infants but their guardians/parents along with their designated nurses/doctors biometrics could be attached to the babies wrist/leg tag and only those people would be allowed to handle the baby or remove it from the ward.

  4.3.4  Administering Drugs. Whether it be in prisons or in pharmacies, drug addicts on rehabilitation are supervised on their prescriptions. These are administered on a daily basis by the pharmacist who may have a large number of addicts who visit them daily for their dose. There is massive fraud in this area at the moment. Biometric authentication would cut this to zero.

  4.3.5  Travel Security. Biometric authentication is a necessity for travel in the future. This is recognised by the Consultation Paper. To be a benefit the system must be swift and sure. Hence printing the biometric authentication on the boarding pass at check in is an obvious benefit. The biometric authenticator can then be printed onto the luggage tags as well, allowing for greater positive linkage between traveller and their luggage. Those who allow this get the "green light" treatment. Those who do not are processed manually. There should be no compulsion.

  4.3.6  Authentication of identity should not be compulsory. It should be adopted by those who wish to reap the benefit. There will always be those who do not want to conform. It has to be assumed that a high number of potential bad guys and terrorists will opt for the old analogue system if it is available. Therefore make it available so that the likelihood that those who use this older process are more likely to be potential terrorists. This allows for greater, but slower, manual scrutiny using technology as well as people but also allows the limited security human resources to be focused more on where they are needed. This is what is called "shaping the security space".

January 2004