6. Memorandum submitted by
Computer Sciences Corporation (CSC)
1.1 There are numerous government ID systems
implemented world wide that are using smart card and biometric
Denmark tax returns (with voice recognition,
pin number access).
US Department of Defence Common Access
Cardwith photo, biometrics (fingerprint), and smart card
Malaysia's national ID (Government
Multi-Purpose Card)with photo, biometrics (fingerprint)
and smart card chip.
Spain's social security cardwith
biometrics and smart card chip.
automated border crossing systemwith photo, biometrics
(iris) and smart card chip.
Brunei's national IDwith photo,
biometrics (fingerprint) and smart card chip.
1.2 CSC has implemented high volume, secure
smart card applications internationally, and would be delighted
to arrange educational visits for members of the Committee.
ID DATABASE AND
2.1 If ID cards are to realise benefits
quickly for the government, CSC recommend that a "Central
Utility function" is developed which provides a mechanism
for accessing public services via three core channels:
Self Service (initially over the
web, but not excluding the future use of other technologies).
Assisted service at an agency front
Assisted service via the phone.
2.2 The "Central Utility" will
act as a secure information and communication hub that will interface
to a variety of front end systems (web agency, front desk support,
and call centre support) and across multiple back end systems
(benefits, health, DVLA and so on) along with third party systems
such as payment systems.
2.3 The objective of the Central Utility
is to allow customers, both individual and business, to access
public services in a seamless manner through one point of contact,
rather than interacting with multiple organisations such as the
Benefits Agency, DVLA or the NHS.
2.4 The Central Utility will make use of
a central data store, which retains the secure personal data for
each customer registered within the system. This central store
will, over time, reduce the need for individual agencies to store
their own copies of shared customer data.
2.5 The cost of such a "Central Utility"
will be entirely dependent on the design of the system. However,
a central utility will be an order of magnitude less expensive
than different card production and issuing facilities, perhaps
with different card specifications, resident in different government
agencies (eg DVLA, NHS, Benefits Agency etc).
2.6 ID Database
2.7 In terms of database access, card production
would be done at secure centres, by appointment. Thereafter there
will be a limited number of applications where the database is
accessed, the comparison will be between the citizen and the card.
2.8 Technically the system will be able
to handle large volumes, as personal verification against the
database will be relatively infrequent (for comparison, how often
is a birth certificate, marriage licence or passport produced
now?). Also the volume of comparisons between card and citizen
will depend on the data stored on the card (for example, if the
current address has to be kept up to date).
2.9 Specialist companies known to CSC produce
cards, readers and locking mechanisms. CSC' usually engages these
companies and project manages them as the prime contractor.
2.10 Biometric Identifiers
2.11 A biometric template is locked onto
the smart card by the issuing authority. The smart card prevents
modifications of its memory by anyone who is not correctly authenticated
by the issuing authority.
2.12 Smart cards are very tamper resistant,
and as such are often the most secure link in the whole security
chain of an application. The card is effectively a small computer,
and, if tampering is detected, the card will cease to function.
ID CARDS IN
3.1 Establishing Identity
3.2 Any security system is only as good
as its enrolment process. If someone presents stolen or fraudulent
identity information, such as a stolen or counterfeit passport,
at the time of enrolment and card issuance, then this impostor
could potentially be given a valid ID card.
3.3 An enrolment process that captures biometric
information would be able to ensure that only one ID is issued
to an individual by determining if the same applicant had previously
enrolled with a different name.
3.4 Each ID system should provide cardholders
with a process to report lost or stolen cards so that system information
can be updated.
3.5 If the card includes a biometric, it
will not be able to be used at biometric stations by anyone but
the rightful owner.
3.6 For example, in the Danish Tax system
implemented by CSC, the card is read and a PIN code is keyed in.
3.7 Perhaps more effective, would be the
recording, on the card, of the date and time of the last connection
to the central database.
3.8 For example, using smart card technology,
it would be possible for a police officer to record immediately
in the card when a speeding ticket is issued. This information
could include a note of "judgement or payment pending"
until the next time the card connects to the central database
and gets an update. It would also be possible to note in the smart
card the last time the card was on line with its issuer.
3.9 A smart card based system can improve
privacy, help speed identity validation processes and still be
very secure. The example above does not require the police officer
to access the central database but the information stored on the
card helps validate the logic of the processes done in the field
3.10 Accessing Public Services
3.11 Smart card technology could result
in a complete transformation in the way the general public accesses
government services. An ID card will help reduce data entry and
form filling when a citizen applies to use a government service.
3.12 Services will be identified in line
with the e-Strategy of each government agency. However, likely
services to be provided using identity cards are passports, car
tax, grants and benefits, health, education and family based services.
3.13 However, any system of identity cards
introduced in the UK must strike a positive note, enabling the
general public to better access "public services" and
enabling the government to provide these services more efficiently.
The largest potential barrier to efficiency is duplication.
3.14 If smart cards are to realise benefits
quickly for the government, it is essential that individual service
providers like the DVLA or the NHS don't all go off to develop
their own identity registration, authentication and personal data
management of their smart card data content.
3.15 CSC recommend that a "central
utility function" is developed which will be responsible
for the specification of, procurement and implementation of all
aspects relating to the technical infrastructure required to provide
customers with the ability to access services they are entitled
4. ISSUES TO
4.2 Benefits will accrue from these systems
as the number of people using them increase. It will be easier
for citizens to get their Drivers Licences, Child benefit, with
an ID card rather than without.
4.4 CSC notes that the deployment of smart
card technology in other countries has resulted in cost savings
and extra convenience. in the Danish Tax system implemented by
CSC the technology has saved time and therefore cost, both within
the Tax Authority and in saving citizens' time. Some two thirds
of the tax returns are right when issued to the citizens for checking.
4.5 Home Office officials to date have only
been able to confirm the broad range of costs involved in implementing
an ID card for the UK. CSC suggest that cost estimates will become
clearer once the following matters have been taken into account.
The degree to which biometrics are
included in the ID card solution.
Prioritisation between provision
of public services and prevention of crime and terrorism..
Acceptance of a "Central Utility"
principle for the whole card issuance and processing system.
Which agencies will be providing
their services through the card "Central Utility" and
5. ABOUT CSC
5.1 Established in 1959, CSC is one of the
world's leading consulting and information technology services
firms. With almost 90,000 employees in locations worldwide and
annual revenues of £7.2 billion (28/03/03) CSC is headquartered
in El Segundo, California.
5.2 The UK division, based in Aldershot,
Hampshire was founded in 1967 and has grown rapidly, both through
acquisition and IT outsourcing deals, to become one of the largest
divisions, accounting for around 14% of CSC's global revenue.
5.3 Employing almost 10,000 people at more
than 100 sites across the UK, CSC has annual revenues of around
£1 billion and predicted to be the 3rd largest IT services
companies and the second largest IT outsourcing provider in the
UK this year. Its customers are drawn from all major industry
and government sectors. Visit www.csc.com/uk for more information.