39. Memorandum submitted by
QinetiQ
SUMMARY
1. The justification for a national ID
Card Scheme should not be constructed around law and order, identity
fraud and illegal migration and working. It should instead be
centred on the benefits to a digital society of the use of biometric
authentication of registered identity. One of the benefits is
that it will address all the points made as the substance for
justifying the ID Card Scheme in the Consultation Paper. But it
will do much more as well.
2. A Biometric Authentication enrolment
scheme should ensure that every UK citizen has their identity
registered with a central repositorysuggested as a much
enhanced Public Record Office, not the Home Office, in order that
harmony is created with births, deaths and marriages (existing
systems) and the Census- and then they carry on them their biometric
authenticator in a form that is low cost, highly reliable and
portable.
3. The PRO Register needs to be subject
to open scrutiny by independent watchdogs, and access by other
Government Departments in pursuance of criminal investigations
only achieved by supervised and legislated warrant, the whole
system being regularly audited.
4. Establishment of the biometric authenticator
is a one to one enrolment system using technology that is low
cost and future proof. The key is data storage which should be
as independent of networks as possiblethe individual carries
their biometric authenticator with them, possibly on a card or
other mediumthus overcoming civil liberty fears and allowing
greater conformance to data protection legislation. The two media
suggested are 2D Barcodes (particularly the PDF417 standard) and
memory sticks.
5. Lastly, biometric authentication can
be used to enhance the security of society by using it to "shape
the security space", providing intelligent means to target
limited security resources where they are most needed.
1. THE NEED
FOR IDENTITY
1.1 There has always been a need to register
the existence of the population. Identity, certainly Existence,
is registered when we are born and the end of our Existence is
formally recognised when we die. Both use certificates that are
kept by individuals but recorded by the Government. Establishing
identity is a process that is well practised. The challenge has
come through authenticating that identity in a way that is irrefutably
that person. In the analogue world of paper and manual processes
this was achievable, normally by producing a birth certificate
and a witness signature. However, as society becomes more and
more digitised, the need to authenticate individuals to allow
them access to benefits that are profitably offered through digital
means, quicker and more automatic, has found that analogue authentication
processes (passports for instance) are inadequate and create vulnerabilities
in the digital society.
1.2 As society becomes more digitised and
reaps the benefits of a higher quality of life it is important
that the existing processes for recording Existence in society,
which are well proven and well established, are equally digitised
and secured. Whether the output of this updating is an ID Card
for all individuals over the age of 16 is not the issue. That
there is already a central database where details of UK citizens
(and potential citizens) is heldThe Public Records Officecounters
the argument that UK needs another Home Office National ID Register.
The answer has to be to improve, by secure digitisation, the database
that already exists and enhance, as necessary, to cope with asylum
seekers, visitors, travellers and the like.
1.3 Identity in a digital environment is
of paramount importance, mainly because nearly all the processes
are automated with minimal human involvement. Hence those people
who are involved in the system trust it implicitly. There is little
margin for doubting that the process can make mistakes; losing
one's identity could be catastrophic. The Public Records Office
should be the guardian of all identities in a digitised society.
It needs to be independent of all other Government Departments
and only share identity information under carefully controlled
legal circumstanceslegal warrants served by the judiciary
based on documented evidence of investigation. Under no circumstances
should identity information be shared unless it is in relation
to a current investigation. Mechanisms for arbitration, ombudsman,
audit and scrutiny by independent panels need to be in place to
enable the public to trust such a National Identity Guardianship.
1.4 The concept of a National ID register
held by the Home Office is too narrow and short term in its purpose
and driven by passing events, not fundamental principles.
2. THE NEED
FOR AUTHENTICATION
2.1 Having established an identity and had
it registered with the State, the individual should now be free
to use the authentication of that identity to their advantage.
The digitised society allows this: faster processing in airports,
faster cash withdrawal, faster purchasing on the internet, better
quality of life. There is almost no part of society that does
not lend itself to improvement (and profit) by digitisation. The
vendor is not particularly fussy who he sells to but, particularly
with money information (credit cards), he has a duty of care to
ensure that he is selling goods and taking money from the person
purported to be buying. Hence it is in his interest to establish
identity. This is done by authentication (also known as verification).
2.2 Authentication in reality provides the
permission for the individual to access whatever it is they wish
to access. The platform for the authentication (be it a card or
other means) is merely a permit. Hence the Consultation Paper
was probably correct to move away from the concept of Entitlement
Cardsauthentication provides no entitlementbut ID
Cards may suffer from an equally negative stigma. Having an Authentication
Device providing permission to benefit from the digitised society
is actually what is being discussed.
2.3 Authentication is not yet a technology
that allows "certainty". In fact it never will. It can
only provide a high probability that the individual is who they
can show they are. At the moment, the best authentication systems
in general use are semi-analoguePersonal Identification
Numbers or PINs. These are grossly inadequate. Short term measures
are being introduced to enhance these systems but the only system
that has the highest probability of first time authentication
of identity is the use of one or more biometrics.
2.4 Authentication is a one to one enrolment
and verification process. Many of the authentication techniques,
particularly facial biometric, that were introduced in the late
90s were designed for one to many identification. This is an entirely
different goal and was originally developed to find football hooligans.
The stated intent in the Consultation Paper to be able to find
an unknown person in a Register of 50 Million is doomed to failure,
as the system in Newham has shown and as the analysis by the Wall
Street Journal of the facial one to many scan of the SuperBowl
in 2000 also proved.
3. THE NEED
FOR AND
TECHNOLOGY OF
BIOMETRICS
3.1 Unique signatures that can only belong
to one person allow for a high degree of probability that that
person is who they say they are. Fingerprints have been in existence
for many years and fitted the analogue authentication processes
well. In today's digital domain fingerprints suffer from high
false acceptance rates and a social stigma in some cultures, notably
UK ("only criminals have their fingerprints taken, don't
they?"). A biometric has to have high fidelity and be least
intrusive to the individual. It must also be low cost and impact
on the existing infrastructure as little as possible. Any society
that adopts a biometric for authentication must also allow for
technology improvement.
3.2 There are three processes that must
be satisfied in terms of cost, fidelity, intrusion and infrastructure
impact in the biometric process: data capture, data processing
and data storage.
3.2.1 Data Capture. For Authentication of
identity this has to be a one to one enrolment. This might be
by putting a finger on a sensor, putting an eye in front of a
laser or just looking at a camera. In the future it might mean
no more than walking through a lighted area (to capture the unique
hyperspectral reflection off the skin), walking past a hidden
radar (that will characterise the unique thoracic cavity signature
of each individual). The goal must be to make data capture as
seamless and transparent to the individual as possible, not just
for civil liberty reasons but also for commercial reasons of keeping
the "Customers flowing".
3.2.2 Data Processing. This is the biometric
technique itself. It will probably be a software algorithm but
it needs to be fast and the "template" needs to be smallprobably
no more than 500 bytes. Its fidelity must be such that the probability
of a correct authentication is what is known as the five 9s99.999%
probability. This figure is taken from telecommunication availability
statistics for the domestic customer before they complain about
lack of service. The science and research into biometrics is only
really beginning and systems that adopt authentication biometrics
must accommodate the future.
3.2.3 Data Storage. This is the key to any
biometric authentication because it determines the authentication
platform and a whole lot more. There is an automatic tendency
to believe that biometrics need to be stored on "smart card"
chips. These are very expensive. There are better methods that
allow much more usage of biometrics to provide authentication
permission. The principle has to be that the data storage device
is portable. One method that has stood the test of time and usage
and very common in the US is the 2D Barcode. There are many standards
but the most used is the PDF 417 standard patented by Symbol Technologies
and put into the public domain. Symbol is one of the world's leading
scanner manufacturers. The 2D barcode can store the biometric
template, personal details, even a picture with suitable compression
techniques. A typical 2D barcode on a credit card can hold over
1300 bytes of information. The Barcode can be printed onto almost
any material. To read it merely requires a supermarket scanner.
It costs fractions of a penny to print. Near future storage devices
include the memory stick that can hold, almost in its "giveaway"
form, 1Mbyte of information. This needs a USB connection to a
reader to read but obviously holds much more information. The
key is to make the data storage device simple, usable, low cost
and portable. Smart cards are not the answer. Neither are £30
chips in passports.
4. THE BOOST
TO SECURITY
4.1 The Public must be assured that all
and any data is properly secured and seen to be secured. This
is not just about data and cyber security but also about open
processes and open scrutiny of the processes to safeguard identity
records.
4.2 However, there is also a need to use
authentication of identity as a way to enhance security in society
in general. Security in this context includes safety. All the
individual needs is to carry their biometric authentication. This
may indeed be on a card, but could equally be a printed barcode
on their passport or visa, or a variety of devices. The point
being that only that person with that biometric authentication
can gain access or show that there is a high probability that
they are who they are. The conclusion is that there are a variety
of options for the individual to carry a biometric authentication
device, be it an ID Card or other identity document. The individual
should not be limited to just one form of biometric authentication
("Excuse me Sir, do you have some form of biometric authentication
on you that conforms to the Governments stated standards?")
4.3 There are many other positive benefits
to every individual carrying biometric authentication including,
but not limited to, those that constitute the central argument
in the Consultation Paper. Here are just some:
4.3.1 Single Sign On. This is the Holy Grail
of all digital systemsone authenticator for access to all
digital systems. The Single Sign On could be from Kerb Side to
Sensitive Document Access; the individual uses their biometric
to enter the building where they work, to access the lifts and
gain access to secure areas, to log on to their work stations,
to access only those documents they have permission to access.
Biometrics on workstations could continually monitor the individual
and, if they leave the station, log off. Any physical intrusion
would not work (wrong biometric) but the intrusion would be recorded
pictorially. In essence the person and their biometric authentication
act similarly to a Public key Infrastructure, whereby access is
only gained when two parts of the "key" come together.
The elegance is that the "key" is a biometric feature
owned by the individual and that the "certification"
is immensely more simple, held in the Public Records Office.
4.3.2 Error Reduction In Hospitals. This
is one of the highest concerns in the US where errors run at about
25%. Figures in NHS are not known but might be just as high. Simply
the biometric for the patient is held on their wrist tag (barcode)
and the doctor checks that he has the right patient before taking
whatever clinical procedure was decided (medicine, surgery, dispensing
medicine).
4.3.3 Children Ward Security. Clearly biometrics
do not work for babies and infants but their guardians/parents
along with their designated nurses/doctors biometrics could be
attached to the babies wrist/leg tag and only those people would
be allowed to handle the baby or remove it from the ward.
4.3.4 Administering Drugs. Whether it be
in prisons or in pharmacies, drug addicts on rehabilitation are
supervised on their prescriptions. These are administered on a
daily basis by the pharmacist who may have a large number of addicts
who visit them daily for their dose. There is massive fraud in
this area at the moment. Biometric authentication would cut this
to zero.
4.3.5 Travel Security. Biometric authentication
is a necessity for travel in the future. This is recognised by
the Consultation Paper. To be a benefit the system must be swift
and sure. Hence printing the biometric authentication on the boarding
pass at check in is an obvious benefit. The biometric authenticator
can then be printed onto the luggage tags as well, allowing for
greater positive linkage between traveller and their luggage.
Those who allow this get the "green light" treatment.
Those who do not are processed manually. There should be no compulsion.
4.3.6 Authentication of identity should
not be compulsory. It should be adopted by those who wish to reap
the benefit. There will always be those who do not want to conform.
It has to be assumed that a high number of potential bad guys
and terrorists will opt for the old analogue system if it is available.
Therefore make it available so that the likelihood that those
who use this older process are more likely to be potential terrorists.
This allows for greater, but slower, manual scrutiny using technology
as well as people but also allows the limited security human resources
to be focused more on where they are needed. This is what is called
"shaping the security space".
January 2004
|