House of COMMONS
MINUTES OF EVIDENCE
HOME AFFAIRS COMMITTEE
Tuesday 24 February 2004
MR NICK KALISPERAS, MR GEOFF LLEWELLYN, PROFESSOR ROSS ANDERSON and PROFESSOR MARTYN THOMAS
USE OF THE TRANSCRIPT
1. This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.
2. Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
3. Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.
4. Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.
Taken before the Home Affairs Committee
on Tuesday 24 February 2004
Mr John Denham, in the Chair
Mr David Cameron
Mrs Janet Dean
Mr Gwyn Prosser
Mr John Taylor
Memoranda submitted by Intellect, Foundation for Information Policy Research and UK Computing Research Committee
Examination of Witnesses
Witnesses: Mr Nick Kalisperas, Senior Programme Manager, Mr Geoff Llewellyn, Member, ID Card Working Group, Intellect, Professor Ross Anderson, Foundation for Information Policy Research, and Professor Martyn Thomas, UK Computing Research Committee, examined.
Q332 Chairman: Good afternoon. Thank you very much indeed for coming to the Committee this afternoon. As we have four witnesses today could you briefly introduce yourselves and the organisations you come from?
Mr Llewellyn: Geoff Llewellyn, Member of the Intellect Working Party on ID Cards.
Mr Kalisperas: Nick Kalisperas. I am the Senior Programme Manager at Intellect with responsibility for the ID card programme.
Q333 Chairman: Perhaps you could say for the record what Intellect is.
Mr Kalisperas: Intellect is the trade association representing IT, telecoms and electronics companies in the UK.
Professor Thomas: I am Martyn Thomas, representing UKCRC, the UK Computing Research Committee, which is an expert panel of the Institution of Electrical Engineers and the British Computer Society dealing with matters that affect computing research.
Professor Anderson: I am Ross Anderson. I chair the Foundation for Information Policy Research, which is Britain's leading internet policy think-tank. My day job is as Professor of Security Engineering at Cambridge University.
Q334 Chairman: Thank you very much. With four witnesses we obviously want to get a full range of views. Can I start with possibly a very basic question but one that has now come up several times in our inquiry into identity cards, which is whether it is necessary for somebody to carry a card in order to have an identification system? For example, if there were, as is proposed, a central database carrying a certain amount of biometric information do you need a card or would it be possible to use that database simply by having sufficient biometric readers around the place to meet all the practical purposes?
Professor Thomas: In principle it would work. In practice it would require a lot of hardware and a lot of calls on that central database, so it may not be practical but it is theoretically possible.
Q335 Chairman: What is the difference in principle between a situation where somebody who carries a card, which is possibly not of any great use unless you have got some sort of fingerprinting apparatus to check that the data on the card is the same as the fingerprint the person has got or that the iris scan is the same as the one on the card, and checking the card against a local biometric reader and checking the person against a central database? What is the practical difference between the two, or is the assumption that the ID card will work in lots of circumstances where you are never going to want to check the biometric data?
Professor Anderson: You could look, for example at what happens with the airlines which are increasingly abolishing tickets. Within the controlled environment of an airport or airline system you can just as easily record the fact that Joe Bloggs, born on such-and-such, has got a ticket to fly to New York. Similarly, you could have this information available on line. Bear in mind that in the first phase of this we are talking about a digitised photograph rather than fingerprints or iris codes. You could have a system whereby you went and said, "I am John Denham, born on such-and-such a date", the Passport Office will type this in and your mug shot and Passport Office files will come up. The main objection to that would be first, what happens if the database is down; have you got a means of off-line checking, and secondly, there is the issue of reassurance. I certainly felt slightly nervous the first few times I went to get on a plane without a ticket.
Mr Llewellyn: I could perhaps link the two questions you pose there: is a card necessary and what are the practicalities? There is a very strong argument that having a physical card is something that gives a tangibility to the whole process which is reassuring to citizens as a whole and it makes the whole process rather easier to understand. In terms of the value of a card at point of use, there is a kind of hierarchy of security issues that one would need to address. For example, if you were trying to get into Fort Knox you would want to have absolutely strong confirmation that you were who you said you were, whereas there are other lower sensitivity, lower value transactions where simply holding the card which contains your photograph would be quite sufficient to prove your identity for the purposes of that transaction. The idea of a card which has the photograph and the biometrics embedded on the chip gives you the flexibility to run a whole variety of different checks against the card or, for a very highly sensitive transaction, against a central database.
Q336 Chairman: For the purposes for which the government have said that a card would be used, which is at the core largely migration, immigration and citizenship issues and access to some public services like health but not to other public services like education, at which points in that hierarchy is it sufficient just to have a card? Where would you need to have the higher level of identity checking?
Mr Llewellyn: I think one would need to take notice of that and have a fuller specification of the types of transaction, but notionally one could set out a hierarchy of transactions which were typically undertaken with a card and as part of the preparation for implementing a scheme of this sort there would be a convention which would be established, I would imagine, either in the legislation or in discussion which would say, "These are the types of transactions that are appropriate and these are the ones where a higher level of certification is necessary".
Professor Thomas: There is a fundamental issue here which I think will come up a number of times, and that is that the government has identified a number of application areas of the card but nothing that I have been able to find identifies why the ID card as proposed is a solution to any particular problems in those application areas. Until that is done most of the questions you ask in this area do not have an answer because you are not asking the right people. You need to be asking the Home Office.
Professor Anderson: I must say I am slightly alarmed at the proposal that ID cards be foisted on the health service. I have had some experience in the past of dealing with medical information systems and there has been a debate in a number of countries about whether you should put things like emergency medical information onto either a medical insurance smart card or onto a national identity card. The experience from overseas, such as it is, suggests that this is a bad idea for safety reasons. Suppose, for example, you are diabetic. At the moment you might carry a bracelet with you, you might carry a special purpose card in your wallet so that if you pass out somewhere the ambulanceman has a hint. If that vanishes into a secure chip on a card that can only be read by authorised people and you pass out on an aeroplane over the Atlantic that is a different matter. One or two countries, like Germany, have gone down this route but a number of other countries have on mature reflection decided that it is not a good idea, and so I would be particularly anxious for the government to think long and hard before calling the NHS into this particular project.
Q337 Chairman: My understanding has been that it was more about establishing whether you are entitled to have any sort of NHS treatment as opposed to a card carrying medical records. The point that has been brought out is that you are saying to the committee that we need sharper definition of exactly what the purposes are and the places in which identity is required for you to be able to tell us whether carrying a card or having your identity checked against a central register would be the appropriate response. Is that fair?
Professor Thomas: Yes.
Q338 Chairman: Can we move on to Professor Anderson? I think the IFPR said that you are sceptical about the advantages of a single card, preferring perhaps to have a range of different cards or identifiers specific to particular services that people might want to access. Is that right?
Professor Anderson: That is right. The smart card industry has had over the last 15 years a number of projects to persuade people that a multi-function smart card might be a good thing. I have been involved peripherally in one or two of these, for example, trying to design a system that was simultaneously a banking card and a card for prepayment of electricity meters. The experience of these attempts and pilots was almost uniformly negative. Technically it is usually not a big deal to have a card with two applications on it but from the administrative point of view and the point of view of legal liability and issues such as whose logo is on the card, who is liable when something breaks, things are very much more difficult. If you are a banker the last thing you want to do is to be held liable for a power cut or for somebody being unable to get electricity if they suffer as a result. For these reasons the experience of industry is that everybody wants their own card, they want their own customer database and they want control of their own mechanisms to access that database.
Q339 Mr Taylor: Mr Chairman, forgive me: I did not quite catch what Professor Anderson said about dual use, one of which I think you said was a banking card and the other was something to do with electricity supply, and I did not quite catch it.
Professor Anderson: This was ten years ago when the government of South Africa decided to electrify a couple of million homes and, as many of the poor people had no addresses, let alone credit ratings, it was necessary to bring in prepayment electricity meters. The question was whether existing banking smart cards could be used for the purpose of smart cards which people used to share taxi rides. The answer was that technically it would be easy to do but the liability and branding and other business issues were simply a nightmare.
Q340 Chairman: That is what some people would put as a producer point of view. The electricity company did not want to do it and the bank did not want to do it. From a citizen's point of view is there not a case for saying that people would find it quite annoying to have to carry eight or ten different cards for different purposes, all of which are there to identify them? Is there not some advantage from the citizen's point of view instead to have one card which fulfils all those functions? If we are talking about the citizen's point of view is that not where we should start from?
Professor Anderson: It might be nice to have but in my view it is not likely to happen as a practical matter. There is other experience. For example, in our university we have brought in a university card to try and unify the various kinds of door locking/photocopier access to our hundred or so libraries and again we ran into problems with that. As a general principle, if you have one mechanism that you make serve more purposes then you make it more fragile, you make it more expensive, you make it more difficult to maintain and it becomes a road block in the things that all sorts of people are trying to do. It is very much more convenient, if you are responsible for a particular library, if you can issue a customer with your own card.
Q341 Chairman: In the university complex does that mean you have a different list of people who are entitled to use the photocopier from those who are entitled to use the library and so on, or are you talking about different cards but the same database of students and university staff? Are you saying that not only do you have separate cards to identify yourself but you also want separate databases maintained separately, even though it is the same people on them?
Professor Anderson: As a practical matter you end up with hundreds of separate back-end databases. Each library will have a database of which books are out at the moment; each college, if it is using this for access to buildings, will have its own list of who is a member of the college and which buildings they are allowed to go into. If it is using it for college meal payments then it has to run accounts for each of the students who are using the system. This proliferates very rapidly on a very large scale and it becomes very difficult to have one single centralised system.
Q342 Chairman: The government has clearly set out to say that they want one database for all people in the country to which various applications can then be applied. Are you saying that that is fundamentally a wrong approach?
Professor Anderson: I think it would be completely unrealistic to have one database from which lots of commercial companies built their systems. I think it would even be dangerous, for example, to try and unify the databases of the Passport Office, the National Insurance database and the DVLA because when you unify such databases that means that whichever company is managing them has a much greater hold over the government and that means that the cost tends to go up, the difficulty of making changes increases and the flexibility of the system decreases, and ministers are in effect held over a barrel because it becomes simply too risky to change the system once it becomes critical the infrastructure for a very large part of the public sector.
Q343 Chairman: That was not a success for you, I gather. Does anybody else have a view?
Mr Llewellyn: I am afraid it means stepping back for a moment. Again, to refer back to the model of use of a card, a card which has to be referred on every occasion of use to a single central database has the advantages of high security, but it has the vulnerabilities of the requirement for the network to be up and running all the time. If you take the point I made earlier about the hierarchy of security and the hierarchy of sensitivity of transactions, then you could see that for a card which was issued to a unique individual under the auspices of the state and which has got the highest possible certification - the holder of that card is actually Joe Bloggs and that can be proved by relating the information on the card to the fingerprint, the iris or whatever it might be, of the person who is there - that proof of identity is then quite enough on its own to act as a key to other databases. For example, if you have got that highest integrity proof of identity, it becomes a multi-purpose card. It does not mean that you have to have a single database. You could perfectly well have your library, your meals, whatever it might be, accessed by that single key but there would be many databases, all accessed by that single key. The critical thing is that the padlocking of that card as an electronic token to the unique individual then enables that card to be used to open up lots of boxes, if you like, and the boxes could be university accounts, they could be tax accounts, they could be social security accounts or whatever, or it could be your free bus pass. The key thing is the association of the unique individual with that electronic token and that has no implications for one massive database. You do not have to have a massive database which has got all of these applications on it. What you need is a single secure key.
Q344 Chairman: Professor Thomas?
Professor Thomas: There is a technical systems engineering issue here which is captured in popular wisdom by "don't put all your eggs in one basket". If you create either a single card that has multi functions or a single database then you are adding to the nation's critical infrastructure unnecessarily and by doing that you are making a very large range of services, probably a growing range of services, vulnerable to a single attack, either a deliberate attack or a fault that arises as a consequence of mis-implementation or accident. This seems (and undoubtedly is) an extremely foolish thing to do if you do not need to do it. First, you create a target that is worth subverting and therefore you increase the resources that will be applied to subverting it. Secondly, you increase the damage that is done when, by whatever means, that particular system gets compromised. If it is an individual's card that is compromised, you have increased the damage to them because they do not have the back-up mechanisms of all the multiple cards that they currently have for getting access to other parts of their life. If it is a central system that is compromised, then you are really in trouble because everybody potentially is having difficulties over all the aspects of their lives that are implemented on that system.
Mr Kalisperas: I think that fundamentally we are in danger of mixing two issues here. The Home Office proposal as it stands at the moment is for a card that verifies identity or for a system that verifies identity. Whether the system itself in the longer term provides access to either commercial or other public services is a separate debate. What we would like to see, and we have said this repeatedly, is an evolutionary card. That can only be done through discussion with industry and with organisations such as those who are here at this table. Jumping ahead to what the inevitable end product is obscures the necessity of getting the original specification right, and that can only be done through a thorough examination of the issues with the various stakeholders.
Q345 Mr Cameron: What is the point, Mr Kalisperas, of having a system if the intention is not to use it for some of the services that have been outlined? I am confused. Professor Anderson and Professor Thomas seem to be in the "don't put all your eggs in one basket" camp, and I can understand that: you have got one card that gives you access to all these services and if something goes wrong with the database you are in real trouble. I am not quite following the argument at the other end of the table, the Intellect argument; my intellect is clearly not up to it. Can you have another go in explaining why you disagree with them, and in particular answering this point: what is the point of having a card if it does not give you access to services and, if it does give you access to services, are you not in the "eggs in one basket" problem that they have outlined so clearly?
Mr Llewellyn: There is a rather strong analogy between the introduction of paper money as a means of exchange, making our economy work 300 or 400 years ago, and the cards that we are now talking about. Paper money is a system which has got critical dependencies. It can be forged, it can be played around with in various ways, and yet everybody can see the very obvious advantages in terms of liquidity in the economy and making the economy work using paper money as a way forward. I think we need to have a similar vision, if you like, of the potential up-side of a secure electronic key. The point that Nick was making about a migration path and an evolutionary card bears on that. In terms of the "eggs in one basket" argument, the fact that there is a single database of citizens obviously does mean that there is one source of truth, if you like, and you would need to be absolutely sure that when an ID card was issued to a unique individual there was the highest possible integrity in the process for issuing that card to that individual, but once that has been done the fact that you have got a single database means, for example, that if the card were lost, which is one of the potential "eggs in one basket" problems that has been mentioned, then replacing the card that had been lost would be a much simpler process because you would simply go to a single location and demonstrate that you possessed the biometric in question and a replacement card could be given to you immediately and the card that had been lost would be of no use to somebody else who tried to use it because they would not have the appropriate biometric. In terms of the "eggs in one basket" argument from the point of view of the individual's convenience, I think that there is a response to that.
Q346 Mr Prosser: Mr Llewellyn, Intellect have told us that their members have been involved in card schemes very similar to what the government is proposing in various parts of the world. What would you say are the most important practical lessons you have learned from that involvement?
Mr Llewellyn: It is clear that in issuing an electronic token which is potentially of such great value and significance it is very important that we should address all of the process issues to do with issuing such a valuable token and do it very thoroughly. I made the point about the integrity of the system which issued the cards in the first place. Clearly, what the UK passport service is currently trialling is a component of the process which would issue these cards to individuals, so it is very important that the integrity of the system which issues the cards is very high. I would add another point from a personal perspective, which is that government does need to think through all of the implications of the introduction of the card, and I echo the professors' point that it needs to be clear about the circumstances of use so as to think through all of the scenarios and circumstances of use and have a clear understanding of what is to be done if there are glitches in the process so that people are not paralysed by an unforeseen incident.. Foresight is very important on the part of government. Finally, there is a vision, if you like, which says, "Here is something which is potentially opening up the full potential of the electronic universe that is all around us", and there needs to be that visionary expression of where the future might go in delivering convenience to citizens and saving costs in the administration of government.
Q347 Mr Prosser: Professor Thomas and Professor Anderson, both your organisations talk about the German system of identity cards and you seem to show some support for that approach. What are the advantages?
Professor Thomas: I am attracted by what little I know of that system simply because the card number is merely an identifier for the card, not for the individual, but when the card is re-issued, as it will be periodically through the person's life, they get a new number. That stops the number being used by large numbers of other organisations as a personal identifier, as, for example, happens with the social security number in the United States with a range of problems which are fairly well known.
Professor Anderson: I endorse that. The Germans have perhaps the strictest interpretation of data protection law in the European Union. They have a tradition of identity cards which goes back at least to Bismarck. They have found that it is not as difficult to reconcile the two and in fact, if you look at a German identity card it looks just like the back page of a passport with the same kind of information. On your passport you have got a passport number rather than your national insurance number, so if somebody starts trying to identify you as this number then next week when your passport runs out the database will be confounded. There is an existing practical way of identifying people. I think that the government's recent proposals, namely, of building on the existing passport system and then perhaps filling in the gaps later (subject to parliamentary approval) are a lot more sensible and practical than what was being talked about at the beginning. None the less we must ask the question: why are passports not used very much more widely by businesses and by other service organisations at present?
Q348 Mr Prosser: Professor Thomas, you mentioned the way that the US security number system can be abused. Can you tell us a little more about that and how widespread it is? Is it worse than in this country in the way national insurance numbers are stolen?
Professor Thomas: It is unfortunately common in the United States for the social security number to be used for all kinds of identifying purposes. For example, students enrolling in courses on campus will routinely have their accounts set up with their social security numbers as their passports. Since it is very easy to obtain somebody else's social security number it means that it is very easy to pretend to be them under a wide range of circumstances. Once you start doing that you can acquire further information about them that makes it even easier to impersonate them. The fact that you have a single identifier that stays with you for life, which becomes widely known to other people for legitimate or illegitimate reasons and which then gives those people the ability to access your personal information and to impersonate you, is a plague that is causing a very wide amount of damage throughout the United States.
Q349 Chairman: If the Government in its proposals came forward and said, "We will not have a lifetime number identifier", as they are proposing at the moment, would there be any consequences for what the government says it wants to achieve with an ID card, or is that a simple policy change that they could make and still carry on with the business of identifying people?
Professor Thomas: You need to understand what they really want to do with the identification card. If all they want is the ability to have a physical token which can be shown to belong to a particular individual on some occasion when they are challenged, and some data that is on that card which is valid at the point of challenge, then clearly you do not need a long history of use; you do not need that data trail to persist over an extended period of time. Even then you have got the problem of what happens when the security on the individual card is compromised.
Q350 Chairman: Supposing they dropped the lifelong number; you would be able to use it as an identifier. What would they not be able to use it for?
Professor Thomas: Unless it was merely a fiction that it was not a lifelong number or was merely a subsequent manifestation of a pointer into a common database, they would not be able to trace the pattern of usage of that card, that number, that identity, over an extended period of time.
Q351 Mr Taylor: My first question is applicable to all witnesses. Could I ask you what evidence of identity should be required for enrolment into the system and is it practicable to check the whole database at each new enrolment to ensure that a biometric just registered is not already on the database?
Professor Thomas: That clearly depends how important it is to you that you have got the identity right. One of the problems of using a single card for multiple purposes is that you need to make sure that the integrity of the enrolment process is adequate for the most demanding application for which this identity will ever be used. If you are going to use the identity card as a means of letting certain select individuals into rooms that contain top secret documents then you are going to have to ensure that all people who enrol go through an enrolment process that satisfies the requirements of the security services for access to top secret documents. If all it is ever going to be used for is to give people access to free transport on buses then you can afford to be a little more relaxed about it.
Professor Anderson: A lot of care has to be given to the issue of pre-enrolment fraud. This is already a big deal and once we start putting chips in passports it will become worse. I am told that there was recently a gang exposed that was selling British nationalities to people in Pakistan, which was obviously of concern given that there are terrorists there about. The modus operandi was to put an advert in a newspaper in Britain offering a job for, say, a security guard at a slightly larger than usual wage, say, £7 an hour. Thousands of people applied, they filled in on the application form all the information that you need to apply for a British passport, and they were also asked whether they had got a passport. Out of that bundle you take some people who do not have passports and you fill in the passport application forms in their name with the photographs of the guys you want to get into the country; standard pre-enrolment fraud. You are not going to make that any more difficult when you bring in a chip. You may in fact increase the incentives for it and that has to be thought about very carefully.
Mr Llewellyn: I would make an observation there though that, with the association of a biometric with a smart card chip, or a chip where the chip is in a card or some other thing, it would I think be much more difficult to do the kind of fraud that has just been described because the unique individual characteristic of the person who is enrolled as it were blocks anybody else from taking that same identity and it blocks anybody else from attempting to present part of themselves off as the person who has just offered their biometric and had it registered on the database. Therefore, with adequate documentary fraudulent proof you could register as me but then I could not register as me because our biometrics would clash when we were trying to get into the same database. With the addition of the biometrics to the enrolment process here you do not eliminate the danger that somebody with the right forged documents could impersonate me but you would then make it impossible for me to register in my own name and you would also make it impossible for them to register in another name, and as soon as there was a clash caused by the duplication of biometrics there would be an incidence to be investigated.
Professor Anderson: With respect, I do not think biometrics change much in this context because if our chap from Al-qaeda has got a passport pretending to be Suleiman Mahmed from Bradford, then as soon as Suleiman applies for a passport under the current state of affairs the fact that the passport has already been issued in his name can cause an alarm to sound. The issue here is the average time that will elapse between the person being impersonated and his applying for a passport. There is also a second issue, which is the kind of biometric you use. If you use a biometric such as an iris code then you will be able to notice if somebody has applied for a passport in two different names, but if, as is proposed in phase one, all you have got is a digitised photograph sitting in contact with a smart card chip in the spine of your passport, there is no such warning because it is very difficult, although it is a computationally feasible task, to match faces with any useful degree of precision.
Q352 Mr Taylor: Assuming the system had successfully been put in place using both fingerprinting and iris recognition and covering 60 million people, how long do you think it would take to register an individual and how long to verify identity?
Mr Llewellyn: The first thing to say is that the UK passport service is currently undertaking a trial, one of the major objectives of which is to look at the process time from a person coming through a door into an office to going out having registered, and so the time for that transaction is at the moment being explored. It will obviously not be appropriate to try and say anything definitive about that.
Q353 Mr Taylor: Because we will know their answer in due course?
Mr Llewellyn: Yes, we will know the answer arising from that trial. Early indications in terms of what has been done in laboratories would say that the time to capture a biometric and put it on to a database and print a card which has got that biometric embedded in the chip is in the low number of minutes. We are not talking about an hour's process or anything of that sort. What is vitally important, of course, is that you not only have that component of the process which is the biometric component, but you also have the process which is the checking of any documentary evidence that the person has with them and possibly checking what is called the biographical footprint, which would be something where corroboration of a person's identity would be sought by reference to other data sources, and those things are potentially much more time-consuming than the process of offering and capturing a biometric.
Q354 Mr Taylor: It is not much use for me to leave the station where these things are issued with a card that perfectly reflects my fingerprints and perfectly reflects my iris unless somewhere it also says "John Taylor, born 19 August 1941", so there are going to have to be some other inputs which I am going to have to be able to verify.
Mr Llewellyn: Yes, absolutely. The whole question of the process to issue an ID card is exactly what is being explored in part by the passport service trial at the moment, and there is no doubt that in addition to having a fingerprint or an eyeball you would also need to have documentary evidence in other areas to show who you are, and all of those things have to be collated so that at the time that you enrol there is confidence that the documentary evidence is correct, that the biographical footprint is correct and that a good quality biometric trace has been captured. Once those three are put together then you have what can be described as a gold standard of identity attribution and that is the critical thing which would underpin the integrity of any system using an ID card. Referring back to some of the answers that were made earlier regarding the IT systems and the integrity of those, I think we do need to allow for the fact that the sophistication of the technology has advanced and is advancing very dramatically, which means that we can have much more confidence in an IT system built today than we can in systems that are ten years old.
Q355 Mr Taylor: Should we not in the margin at this stage say that there is also going to need to be addressed the training of the people who do the enrolling?
Mr Llewellyn: It is absolutely critical that the enrolment process is a matter of people and technology and documents and the people have to be properly trained, the technology has to be robust and the documents have to be of high quality and capable of being checked. This is not by any means just a technology issue. It is also a people, processes and principles issue.
Q356 Mr Taylor: Chairman, I have one more question which I would like to put to Professor Anderson if I may. Professor, I think you said that fraud patterns do not appear to vary across Europe according to the presence or absence of ID cards, but what about levels of fraud? First of all, are you content with the assertion that I have attributed to you?
Professor Anderson: Yes.
Q357 Mr Taylor: The question then is, what about the levels of fraud?
Professor Anderson: I worked for three or four years in the banking industry and as a consultant for them occasionally thereafter and my experience from that is that the main determinant of levels of fraud is not the card technology that you use but how diligent you are at checking on line whether a transaction is valid or not. In Spain, for example, where they made a rule 15 years ago that all credit card transactions had to be verified with the bank regardless of how small the amount, they had a much better reduction in fraud than they did in France where they went to a more complex card technology. In my experience that was a defining experiment. It is not the card technology; it is the processes that surround it.
Q358 David Winnick: Is it not interesting, Professor Anderson, that in the Home Office consultation document the argument is put forward that it is possible that if a card scheme came about the banks and other financial institutions would rely on that to such an extent that they would not necessarily check in the manner in which they are now doing? In other words it would weaken the fight against fraud rather than strengthen it?
Professor Anderson: I cannot see the banks moving to somebody else's technology for the basic processes of getting cash out of an ATM or paying for a meal at a restaurant. What might perhaps be useful is that when you open a bank account you might be able to present a passport rather than having to go round with armfuls of gas bills, water bills and so on. This is something that could be done today. Most people have passports and an even larger proportion of people who open bank accounts have passports, and so I suspect that by simply changing money laundering guidelines the government could encourage banks to accept passports rather than gas bills as primary identification. As far as subsequent transactions are concerned, I doubt that the technologies would be even remotely compatible. What is proposed by the ICO and the new biometric passport is a contact with a smart card chip of the kind that is typically used in door opening applications, whereas what the banks have standardised on or widened in the chip process is a contact smart card and the two have their advantages and disadvantages in different situations but they are not compatible.
David Winnick: Do you get the impression that if a particular argument in favour of an ID card falls by the wayside the Home Secretary is only too willing to come forward with another argument to justify it?
Q359 Chairman: That would be a leading question in the old Perry Mason days, but please do answer it.
Professor Anderson: I see a number of arguments in favour of ID cards that I do not find at all convincing and, not being involved in the cut and thrust of party-political fervours, I have tried to deflate them gently in the submission I have made to the Home Office.
Q360 Mr Cameron: Can the Home Office manage a procurement project on this scale, which I suppose is a bit like asking can Tim Henman win Wimbledon? It is a leading question. Let us start with Professor Thomas. In your submission you say very clearly that technical requirements must meet real world requirements. If not, "it is inevitable that the technical requirements will change, leading to delays, cost escalation, and loss of control over project risks". Given the questions you put in your submission do you think it is possible for the government to get this right in terms of procurement?
Professor Thomas: Technically, yes. Politically, no.
Q361 Mr Cameron: Why politically no? If the person in charge of procurement was a mixture of Einstein, Lichtenstein and Mother Theresa, all-seeing, all-knowing, why is it still going to go wrong?
Professor Thomas: Most of the government procurements that have failed spectacularly have failed, at least in part, because the requirements for the procurement were not properly under control at the point where an attempt was made to transfer the risk to the supply industry, and consequently the supply industry has been very effectively trained to claim simply to be able to deliver whatever the government wants, knowing that it will get off the hook when the requirements come. That has to stop but it requires a level of discipline amongst those who are seeking to procure systems, which does not appear to come naturally to government departments and those procuring systems on their behalf. There are some very hard questions which need to be asked about exactly what the limits of using ID cards will be, and how widespread will be the facility to update the data on the cards and the data in the central database, for example, is an issue which will have a dramatic effect on the underlying security of the system that is built, and therefore the rate of failure in the two directions of false acceptance and false rejection that would occur. Those issues have not been addressed.
Q362 Mr Cameron: In a nutshell, is what you are saying that if the government set out the requirements, got them right and left them alone, there will always be a tendency to change because this is a developing area?
Professor Thomas: No. I suspect that there are conflicting requirements and that those conflicts are cloaked over rather than addressed and resolved, and I think that that happens very frequently in government procurements and that there are hard political decisions to be taken and the assumption is made that somehow the supply industry will solve that problem and that ministers or officials will not need to. It has never worked in the past and it will not work this time.
Q363 Mr Cameron: That is very clear; thank you. Professor Anderson, you argue in your submission that you do not believe the Home Office's costings and you think that consolidating a lot of these systems into one system always costs more than expected. Is it inevitable?
Professor Anderson: It is not inevitable but that has usually been the case in the past. Economists in the software industry have come to the conclusion that the value of the software contract of a company is roughly equal to the lock-in for all its customers. Suppose you have a company with 100 people and you are paying £500 per office for each of these people, what that is saying in effect is that it would cost you £50,000 to retrain everybody to reconfigure the machines throughout all the offices and because it cost more for them to do it than it would cost on average across the whole of the company then they get to put up the prices. This is very well understood in the packaged software industry but I think it is only coming to be understood in public procurement in that if you have a small system, say we are doing national insurance numbers and something goes wrong, you can hold ministers to ransom and say, "Give us another £200 million to fix this or do we embarrass the whole of the social security system", etc. If you have a larger system you have ministers over a bigger barrel.
Q364 Mr Cameron: Can you not put penalty clauses and other things in? Once you have understood the very clear nature of the market failing you set out, that basically these companies have got you over a barrel, that what they are doing for you is so valuable that you do not want to cut them off halfway through, can you not have penalty clauses and make it possible for ministers not to end up with egg on their faces?
Professor Anderson: Sure, it is possible, but it is up to the government and I must say that some departments are better at it than others. The Ministry of Defence, for example, has a reasonable amount of experience in dealing with large, complex procurements for over 20 years from single source suppliers. The Department of Transport, who I worked on with on tachographs, for example, are also fairly shrewd.
Q365 Mr Cameron: Where do you put the Home Office in the list of angels and devils?
Professor Anderson: My only experience in dealing with the Home Office so far has been my involvement in the investigation of the Regulatory Powers Act a few years ago. I must say they are beginning to learn about the future of communication systems but how good they are at procurement is not something on which I could safely venture an opinion.
Q366 Mr Cameron: So definitely two sceptics at this end of the table on procurement. Let me move to Intellect.
Professor Thomas: May I just add one point? Penalty clauses are fine if the only risk is the risk of financial loss. You can transfer that to a penalty clause if you can define it well enough and manage to get it enforced. Where the risk that you are trying to transfer is a business risk or a political risk, loss of service or considerable public unrest as a consequence of a government service not being available and not being available on time, penalty clauses are meaningless in that context. They are not even answering the right question.
Q367 Mr Cameron: Is there any other way round it?
Professor Thomas: No.
Q368 Mr Cameron: Thank you; that is very clear. Let me move to Intellect who I think are more optimistic. You seem quite confident that the Office of Government Commerce guidelines and mechanisms can deliver IT projects successfully. Is that a fair summary of your position?
Mr Kalisperas: Essentially we have a package of measures which we launched last year which currently the OGC are looking at - definition of projects, strengthening the gateway within the process. I think we are in a better position to take forward projects than we were two, three or four years ago. I would disagree with Professor Thomas in that by and large projects do not fail at the instance where risk is transferred. By and large projects fail at the very early stages of their conception when government decides and procurement agencies do not properly discuss their requirements with the industry, so they do not at those very early stages get an understanding of what the market is capable of delivering and what capacity it has.
Q369 Mr Cameron: But when you look at all the IT projects we have had - social security and the Home Office - has not Professor Thomas got experience and right on his side, that most of these things have had massive cost overruns? They have taken far longer, have been hugely expensive, often have not worked and there have been massive delays. I am just trying to work out why you feel so optimistic.
Mr Kalisperas: If you look at the most recent reports which have come out from the NAO as they relate to the Criminal Records Bureau or the Inland Revenue tax credits, some of the most basic failings that they identified were, for example, with the Criminal Records Bureau that they did not anticipate in the planning that there would be an increase in applications during the summer months. For the tax credits there was not enough give in the system to cope with three million applications as opposed to two million applications and that sort of thing.
Q370 Mr Cameron: If they cannot get those simple things right how on earth are they ever going to get identity cards for every human being in the United Kingdom for multiple purposes?
Mr Kalisperas: Because by and large those have been failings whereby the systems did not go through the gateway process and those were projects which had not been adequately scoped with the industry. We are not in the business of trying to take money off the public sector. We are in the business of making projects work. It is very straightforward. What we need to do and what we have been encouraging the government to do is talk to industry before they write tenders, even before they are advertised, see what industry is capable of doing, see whether the political timescales that have been foisted upon civil servants are realistic.
Q371 Mr Cameron: Is this what you mean by concept viability, which "will enable public sector organisations to use the industry as a 'sounding board'". Again, is this not a bit naïve? Are not some businesses always going to say it is a little bit what the government wants to hear in order to help them have a more favoured position? Is that not right?
Mr Kalisperas: Where we believe the concept viability will help is that it provides a platform. Intellect is a technology neutral trade association. We are not-for-profit. We have no products to sell. Concept viability will enable our members to go back to government departments and indicate to them where scope-defined projects are unsuccessful or have the potential to fail using Intellect and the feedback will be anonymised. Our members feel comfortable that they will be able to use Intellect as a vehicle for channelling their fears. Additionally, what we would like to see is that the public sector is able to contract skilled project and programme managers to take forward this work. There has been in more than one case a clear shortage of skilled staff and the public sector needs to pay to get the right people on board in order to deliver these solutions.
Q372 Mr Cameron: Can you give an example where a potential public sector client has ever been advised that a project is not viable and therefore should not go ahead?
Mr Kalisperas: We have not. Concept viability was launched at the end of last year, so we have not run a workshop yet. We are in discussions with four or five government departments about running workshops, so we have not actually run a workshop yet but when we do we will feed back to the committee.
Q373 Mr Cameron: The question I would like to ask all of you, to which a yes or no answer is sufficient, is: do you see the public procurement difficulties as insuperable?
Professor Thomas: Yes, I do. I would like to tell you something that you will not believe but which I think it is important that you hear, and that is that almost every IT supplier in the world today is incompetent. I have worked in the IT industry almost all my working life for large and small organisations, and I know what I speak. For example, the typical rate of delivered faults after full user acceptance testing from the maker suppliers in the industry over many years has been steady at around 20 faults per thousand lines of code. We know how to deliver software with a fault rate that is down around 0.1 faults per thousand lines of code and the industry does not adopt these techniques. We are as an industry very much in the early stages. The industry is only 50 years old. If you compare that with civil engineering, which is several thousand years old, we are tackling some of the most complex engineering designs and building some of the most complex engineering systems that the world has ever seen, essentially using craft technology. If you looked at the methods that are employed in most companies you would come to the conclusion that actually IT system development is a fashion business, not an engineering business, because they jump from one methodology to another year after year so long as it has a whizzy name, "Agile this" or "Intensive that". The underlying engineering disciplines that every mature engineering discipline has learnt it needs to use in order to be able to show that the system it is building has the required properties have not yet been employed in software and systems engineering, and that is at the heart of why these things do not work.
Mr Cameron: That is a very encouraging answer!
David Winnick: The blood pressure is rising on Professor Thomas's left!
Q374 Chairman: We could have a fascinating debate about all of that but I just want to ask you an immediate question. We have heard earlier this afternoon that there is insufficient definition of the circumstances in which an ID card would be used to be able to specify how often it would need to be checked against what type of database for information. Much of the budgeting for the ID card project is confidential from the Home Office at the moment. Is it possible to begin the process of saying whether the project would be achievable unless we have both complete openness about budgeting and a greater level of definition of what the project is intended to achieve? What is the basic information that should be available and in the public domain to enable a project of this sort to be given adequate scrutiny, not just by the industry but for those like Professor Thomas who are sceptical about some aspects of the industry's performance, if I can summarise his position like that?
Professor Anderson: I think it might be helpful if there were some scrutiny of the tendering process as specifications are drawn up and put out to tender. That sort of thing should be public. If, for example, the Home Office has taken a narrow targeted approach in saying, "Right: let us reform the passport systems so that they contain the new digital photograph chip that the Americans require as phase one. Let us get it right, and once we have got it right and got it out there we will worry about phase two". That would be reassuring. If, on the other hand, they want a complex system designed which they can use to link in all other stakeholders later as a means of creating a political momentum of a product and scope in building an empire, that would be cause for alarm. What I think we need to add is some clear signal of which path they are intending to take. If the thing remains covered by Official Secrets to the point that even Parliament does not know which path the Home Office is intending to take, then that is bad news.
Q375 Chairman: Is this an area of software development where it would be much better if the detailed design of software and systems were always in the public domain than one in which this was kept as it were under the Official Secrets Act? This is a debate which I know goes on about software systems all the time.
Professor Thomas: Security by obscurity is never a good idea. If you are trying to build a system that you do not want to be able to be attacked, then making it possible for lots of people to look for the vulnerabilities in it early is the way that you eliminate the vulnerabilities. Simply crossing your legs and hoping that they will not be banned because you have tried to keep the details obscure never works. If you do not believe me, ask Bill Gates.
Q376 Chairman: Would the industry be prepared to go ahead with the procurement process on that basis?
Mr Llewellyn: I think the industry would certainly want a clear and unequivocal specification of what is required. Referring to the earlier point, there is absolutely no question that if there is not clarity of specification, as with circumstances where you invite a builder into your home to do something about it, if you have not specified what you want, the chances are -----
Q377 Chairman: Could you address the specific point about whether the software engineering should be a public domain matter or should we give commercial confidentiality to whoever wins the contract?
Mr Llewellyn: I think that it would be necessary to protect some aspects of the engineering in order to make it difficult for any potential fraudster because if you simply set out the source code for the whole system and the design of the security around the links between the database and the points of registration, I think that would be absurd because that would be giving a blueprint to potential fraudsters. I think there is a middle course which would enable you to have sufficient clarity for informed observers to know that the right solution was being proposed without putting the public at risk by giving this blueprint.
Q378 Mrs Dean: Professor Anderson, you doubt the efficacy of biometrics: would your concerns be reduced if the scheme were to use two biometrics, such as fingerprints and iris scanning?
Professor Anderson: If you use two biometrics then what you may do is shift the balance between your false and separate and false reject rates. Suppose, for example, you decide to pay a cheque but only if someone passes an iris scan and a fingerprint scan, then you are going to end up insulting a lot of your customers. Fingerprints are particularly difficult for older people and manual workers whose fingerprints wear thin and get damaged. If, on the other hand, you decide to pay out on a cheque if either an iris scan or a fingerprint is successful then you will have very many fewer insulted customers but you will have an awful lot more fraud. What the engineering problem is about is finding the right balance point between fraud and insult. The balance point is very different in different applications. In banking generally we used to reckon that you needed an insult rate of less than one in 100,000 and a fraud rate of better than one in 100 for a biometric mechanism to be useful. At the time, ten years ago, we found that there was no biometric that would meet that. Nowadays iris scans might but, then again, there are human interface aspects: how many people would be comfortable staring into an infrared light on a cash machine? There are complex engineering issues. My book on security engineering has a whole chapter on the subject.
Q379 Mrs Dean: What evidence do you have that it is practically feasible to produce contact lenses to fake irises on a significant scale?
Professor Anderson: Well, I have not done it myself but I have seen a photograph of one that was produced by one of the researchers in the field and, given the underlying mathematics, I do not think there is any difficulty in principle with producing a contact lense that will produce a certain iris code. The manufacturers of iris scanning equipment will say in their defence that it is possible to measure the nictation, the oscillation in the diameter of the pupil. I understand that none of the equipment currently on sale does that and I would be worried that someone might produce a well printed contact lense with a sufficiently clear area in the middle where the movement of the underlying eye would be taken by the scanner as indicating that the genuine eye were present. There is room for further technological work here. As things stand I am afraid that iris scanners, like fingerprint scanners, are liable to be defeated by sophisticated attack if they are used in an unattended operation. Attended operation is different, of course, if you train the staff properly they can feel people's fingerprints, they can look carefully at the eye and check there is no funny business.
Q380 Mrs Dean: Can I turn to you, Professor Thomas. Your doubts about the analysis of error rates for biometrics in the Home Office-sponsored feasibility study lead you to argue that "a well-controlled, independent, large-scale study" should be undertaken. In your view, does the UK Passport Service pilot meet these criteria?
Professor Thomas: I think it is capable of doing so. It is clear that the trial could very easily, were it the case, show that currently available biometric technology was not acceptable. Whether it can give you high confidence that it would be acceptable is not clear. In particular, until the full requirements of the system are known and the acceptable reject rates for application have been determined, it is not clear what criteria the trial could work to. I have not seen a full specification of everything that the trial is going to determine. For example, if it was focusing merely on enrolment times that does not necessarily give you all the information that you would need to know whether the reject rates would be acceptable for use in all the locations where you might want to use it. Also, I have some concerns about the statistical sample that Mori will produce because unless they have very good information about all the factors that affect the biometrics that they are looking at and their distribution in the population - I am not aware that data exists but perhaps it does - I do not know how they would draw a statistical sample that they could feel confident that managed to be sufficiently representative that you were not left with the problem that perhaps there is some group in the population who are going to be terribly disadvantaged by the introduction of this mechanism: people on particular medication, people with particular medical conditions, or some combination of those two perhaps.
Q381 Mrs Dean: In your view, what is an acceptable rate of mismatches?
Professor Thomas: That depends entirely on the applications for which it is going to be used. That is a requirements issue for the Home Office.
Q382 Mrs Dean: What measures need to be in place to deal with cases where individuals are wrongly denied access to services?
Professor Thomas: Again, it depends on the services that they are denied access to and what you consider to be adequate recompense. The danger is that if there is not a statutory framework for that then it would be determined by the court and it could turn out to be extremely expensive depending on what the courts decide.
Q383 Mrs Dean: Turning to all of you, how do you think that the inclusion of biometrics will affect public acceptance of ID cards?
Mr Llewellyn: I am aware of a public opinion survey that was conducted at the beginning of 2003 which was with a highly respectable sample according to current methodologies which asked views on the principle of an entitlement card, as it was titled at the time, and public acceptance there was 80% in favour of the principle of an ID card. When people were asked what they felt about the biometric process of capturing the biometric, be it a fingerprint or whatever, again there was a clear majority who were content with the idea of a biometric being given. My view on the public acceptability of biometrics as a way of securing a card is that there is already a high degree of acceptance amongst the general public.
Q384 Mrs Dean: Do either of the professors want to comment?
Professor Anderson: I suppose back when I was involved with the banking industry we had some experience with this because in the mid-1980s Nix Dorf came out with a banking terminal which could identify people by their fingerprints. There was a lot of discussion about whether this would be appropriate and there were some trials that were done. What we found was that in Germany, and I do not recall any data for the UK, there was resistance to this because fingerprints are associated with being arrested and carted off to the police station. In fact, there was quite strong resistance. In India and Saudi Arabia there was no resistance because they have large illiterate populations who are used to operating their bank accounts by means of a thumbprint and a password. My guestimate would be that if you put fingerprints into an ID card there might be significantly more public resistance than if you have merely an electronic digitised photograph. With iris scans it would be somewhere in-between because some people are sensitive to the infrared light that is used to illuminate the eye while the scan is being done. What I expect you will also find that they did not pick up in the Passport Office study is that people who live in remote areas will find it a confounded nuisance not to be able to renew their passport by post, or perhaps eventually to be told to go and get an ID card in the city otherwise they will not be able to use their GP any more. I think of my parents, for example, living in the West of Scotland, getting on a bit, being ordered to go to Glasgow or, worse still, to Peterborough to present themselves for scanning and I can imagine my father would be rather cross. Multiply that by millions of people living in rural areas and you can expect some kind of backlash there. Finally, you have got to look at groups who simply cannot provide the required biometric. Thousands of people in the UK have got no fingerprints thanks to Thalidomide, surgery, diabetes, accidents, etc; tens of thousands of people do not have eyes and cannot offer iris prints. Again, an awful lot of thought has to go into these groups at the margin who are not going to be picked up simply by a public opinion process involving a few thousand people wandering through the Passport Office.
Mr Llewellyn: Can I just make a point of information regarding the Passport Service trial. That Passport Service trial is part of the sample where individuals who would go through the process would be selected deliberately in association with disability lobby groups in order precisely to represent the variety of physiological challenges that people experience. It is not a matter of simply taking the first 10,000 people off the street, there will be a deliberate plan to incorporate people who have the kinds of physical challenges that would make biometrics difficult to achieve on the face of it.
Q385 David Winnick: In your paper, Professor Anderson, at paragraph 13 on page four, you question the Home Office claim that there is public support for identity cards. The Home Secretary has made quite a bit of publicity or what have you saying the survey shows there is widespread public acceptance. Why does your organisation and yourself apparently disagree with that?
Professor Anderson: This is a point that I reckon would be more substantively made by Stand, which is stand.org.UK, which is an organisation of volunteers to try to facilitate electronic participation in the political process. As I recall, during the Home Office consultation they made available a website whereby people could easily make their responses to the consultation on ID cards. My understanding is, and I am not a member of Stand but I have spoken to them, all of these responses were treated as a single petition and thus as one vote by one organisation against ID cards rather than, as the Stand people thought appropriate, 5,000 submissions by individual members of the public, the majority of whom were against identity cards. In fact, one of my colleagues at the university sent a submission via Stand which was supportive of identity cards - he is from Germany and he thinks identity cards are great - and he was most put out that his vote in favour of identity cards was counted as one-five thousandth's of a vote against. I believe this is an issue that has been aired already in other fora.
Q386 David Winnick: No doubt we will take that up with the Home Secretary. Your organisation, Intellect, argues: "The success of an ID card programme depends both on widespread acceptance and uptake by the citizens and extensive publicity of its benefits". Would you care to comment on that?
Mr Llewellyn: Sorry, the success depends?
Q387 David Winnick: "...on widespread acceptance and uptake by the citizens and extensive publicity of its benefits". That is the view of your organisation.
Mr Kalisperas: Without being too flippant here, it is almost a statement of the obvious. Allied with any work which goes on in looking at the technical aspects of the card and implementing the IT solution, there also needs to be an extensive communication campaign explaining to the public why an ID card is needed in whatever form the Home Office decides to finally launch one. An extensive campaign needs to take place to ensure that the public feel comfortable with the enrolment process and registration process. In effect, the point that we have tried to get across, which maybe some other organisations do not seem to understand, is we are not talking about an IT project, we are talking about a business change project. The technology is just one aspect of that. We need to ensure that you have the right people running the registration and enrolment processes, we need to ensure that the political will is there, we need to ensure that the right people are being trained and we need to ensure that the right sort of legislation for technology is there. All of that requires time and all of that requires co-ordination. It is clear that what we need are all of the various stakeholders pulling in one direction rather than a few organisations carping from the sidelines.
Q388 David Winnick: What you have just said for me, I do not know about my colleagues, seems to uphold every single word that Professor Anderson replied to me, namely that there is not so much enthusiasm for the card - correct me if I am wrong - but what is required is for the Home Office and the Government generally to persuade the public that such a card is necessary.
Mr Kalisperas: What we need from the Government, and it has been a recurring theme throughout this session, is more information on the exact specification of the card. That is what we need.
Q389 David Winnick: So really you do not disagree with what Professor Anderson said?
Mr Kalisperas: At this present moment in time it is almost like asking how long is a piece of string. At the moment you are saying "Are you in favour of ID cards, yes or no?" and different people will interpret that question in different ways. Until we actually know exactly what an ID card will entail then there is no way that you can judge public opinion realistically in much the same way if you ask a member of the general public today how they are going to vote, are they going to vote Labour, Conservative or Liberal Democrat. Their views today may be influenced by a variety of different things and if you ask the same question tomorrow or in a year's time it may be entirely different. Until we actually see what an ID card will do, clearly specified from the Home Office what the registration process will entail and what the enrolment process will entail, until we have a clear idea of that it is far too early to judge whether public opinion, yes or no, is in favour of the card.
David Winnick: You are saying that public opinion has not made up its mind one way or the other.
Q390 Bob Russell: Gentlemen, throughout the hearing this afternoon security has been uppermost in the questions and in your answers, and I make no apology for returning to that without wishing to go over the same ground. I think this statement from the Foundation for Information Policy Research crystallises exactly the concerns where it says: "Creating a card that gives access to everything from medical care to welfare benefits to air travel will create a huge target. Serious efforts will be made to forge it, not just by criminal organisations, but also by governments", presumably foreign governments and not our own. I wonder if I could ask all of the witnesses how secure can a biometric card be. What measures can you take to prevent someone tampering with a stolen card to change the biometric data on it or, in fact, to utilise it for their own benefit?
Professor Anderson: Assuming that we have launched some time in the next two years a passport which has got a chip in it which contains a digitised image of the holder's face, what we would expect to find is passports where the chip has been removed, where you have taken the chip out of one passport and put it another so that you get a different reading of the chip when you read it electronically from what you would have when you simply open it and look at it. We had experience of this in banking back in the 1980s because when people brought in the first terminals that could be used to swipe and verify credit cards, what the bad guys did was they got a stolen credit card and they would then re-encode the magnetic strip with data that they had taken, typically from a carbon that was discarded in the bin of a posh restaurant. A rich person's credit card details were encoded on the strip, on the card, whose embossing details were stolen. The villain then goes to a bullion merchant and buys a few thousand pounds' worth of Krugerands and the terminal says "This card is fine" but then when the merchant submits the voucher it bounces. This caused us immense problems in the mid-1980s. You can expect the same kind of problems. You can expect all sorts of other incremental problems. They are typically not going to be problems where somebody breaks a specific mechanism but where people exploit procedural work-arounds, where they manage to work their knife between two slabs of the floor and prise the stones apart a little bit. It will be this kind of thing that you will get in the first instance. Later on what you may find is either people find some way of tampering with the chips themselves, for instance being used in offline mode, or you may find it more likely that people will start tooling up with fake contact lenses and fingertip covers which is an awful lot easier than tampering with the chip is nowadays. What you may also find is people will find some means of tampering with the database because the database, presumably, will be relatively shielded against direct attack but people are still going to have to input information into it. For all of the organisations which enrol people one way or another, and think of all the British consulates around the world you can go to if you are a British citizen resident abroad and you can get your passport renewed, is it always going to be the case that no one single employee of any of these organisations will be working for the other side or on their own account? I would say that the likelihood of maintaining complete control over all the staff with the power to register people on the database is miniscule. You have got all these things to worry about and there will be leakage.
Q391 Bob Russell: Mr Llewellyn, what is your answer to that Domesday scenario?
Mr Llewellyn: I think it is precisely a Domesday scenario. Let us go back to some basics. If you are looking at the physical integrity of the chip that is on the card then the industry would say, and I am not personally competent to go into the bits and bytes of this, that the chips on the cards cannot be interfered with in a way which is not, as it were, tamper-evident. In other words, you could get into the core of the card and change something that reflected the identity, but the very process of going into the core of the card and doing that would render the chip unusable. I think the scenario modelled on the old mag stripe days is simply a canard because chips on cards, or chips not necessarily on cards, are intrinsically very, very much more difficult to interfere with than the mag stripe. Clearly you would need more technically competent people than I to convince you that the chips are absolutely fraud-proof but I believe there is a very, very strong assurance that you cannot mess around with the chip without it being apparent. That is one point. The second one is the integrity of the biometrics which, as it were, padlock the individual human to this electronic trace. There again, fingerprints and iris codes have a very, very high level of integrity, notwithstanding the points that were made about spoofing. I think it is true that the latest generations of cameras and the latest generations of fingerprint detectors are extraordinarily difficult to spoof. It would be stupid to say that they are impossible to spoof but they have very high levels. If you combine the very great difficulty of interfering with the chip with the very great difficulty of interfering with the biometric you, as it were, multiply two very, very tiny risks and create a miniscule risk.
Q392 Bob Russell: Would that miniscule risk be made even more miniscule if fingerprinting and iris recognition details were taken at an earlier age? What would be the earliest age at which you would suggest somebody could get an identity card recognition?
Mr Llewellyn: I believe that the fundamental science in looking at the physiology of the eye would say that the iris code is stable from the age of six months, so it would be possible theoretically to take somebody in infancy and capture a biometric that would be stable throughout their lives as long as they kept their eyes. Yes, clearly the earlier that you capture the biometric and associate it with the unique human being the more robust would be the long-term system you put in place.
Q393 Bob Russell: Presumably the fingerprints would have to wait until maturity?
Mr Llewellyn: I believe it is the case that fingerprints do change not only because of physiological interference and so on, but they actually evolve, and certainly the face does as well. From that point of view, comparing the three major candidates for biometrics, the iris technology would appear to be more robust but there are other considerations.
Q394 Bob Russell: Professor Thomas, you observed that security and integrity are not absolute qualities. From your experience of database management, what level of database security is possible, if at all?
Professor Thomas: You have got issues to do with security of the chip on the card and you have got issues to do with security of any data that is stored elsewhere. You need to look at both aspects because it may be data on the card whose security you are worried about or it may be data stored in a linked database that you are using the card as a key to access. I do not have the level of complacency about the security of chips on cards that Intellect have. No card based chip has yet proved to be completely unable to be broken open if you are prepared to apply sufficient resources to it. Although you may have to wreck a few chips in the process, once you have actually determined how to break the encryption on the chip and you can understand the workings you can make your own.
Q395 Bob Russell: Mr Kalisperas, you were disagreeing.
Mr Kalisperas: While I am spending probably the rest of the evening working out how we have managed to offend Professor Thomas, I would like to say that we have been working with the Home Office for two years and we have seen a variety of different companies - obviously Professor Thomas has not had that exposure - who have been quite innovative in the security that they can apply to card technology. If the Committee wishes we would be more than happy to provide information on the various different types of securities that we have come across, both as they relate to the design of the card, as it relates to paints, as it relates to databases, etc. We would be more than happy to provide a paper.
Q396 Bob Russell: A very simple question to which I would be grateful for a relatively short answer. Can the security of every record be realistically guaranteed?
Mr Kalisperas: Yes.
Q397 Bob Russell: We have got a "yes" there and shaking of the heads there, the jury must be out.
Professor Thomas: The easy way to break it is simply to subvert somebody who has got a legitimate reason to be able to change it.
Professor Anderson: This is the point I made earlier. If the third secretary in our embassy in Damascus is working for the Syrian secret police and has the ability to register people in the system and change details then the Syrian secret police have the ability to register people in the system and change details, that is fundamental.
Q398 Chairman: Mr Llewellyn, could you deal with that? You did not deal with the human failure in your previous answer.
Mr Llewellyn: Quite clearly, any IT system is only as good as the humans who operate it. This would underline the principle that the implementation of anything along these lines requires what you could describe as the 3Rs: restriction in the way that the system is implemented so that there is clear specification of what can and cannot be done; regulation of the users of the system, and that would include the third secretary in the embassy; and redress, which would mean systems whereby any abuse could be acted upon quickly once it is detected. It is not given to human beings to achieve perfection, so the answer to Mr Russell's question is no, it simply cannot be guaranteed, that would be absurd. What one can say is that taking a sensible approach to the risks and the opportunities, the risks on the one hand of fraud and the opportunities on the other hand of delivering government services much more efficiently, saving money in the delivery of government, there is a balance to be struck between those. The view of the industry would be that the upside opportunity for process improvements which translate into savings and improved services outweighs the undeniable risk of fraud.
Q399 Bob Russell: If I could put this question to Intellect, because Professor Thomas believes that a system built on commercially available products cannot be made secure against sustained assault. Do you believe that your members can meet the technological changes created by the Government's proposals? Does this include guaranteeing security and integrity of the system? I know you have partially answered but I need to pin you down a bit more on it.
Mr Llewellyn: I think a guarantee in the sense of a statement of absolute certainty cannot be made, could not be made and it is just not given to us in the human race.
Q400 Bob Russell: But you are confident at this end of the spectrum as opposed to Professor Thomas and his view at the other end of the spectrum?
Mr Llewellyn: Yes.
Q401 Bob Russell: Finally, if I could ask one and all if they would like to answer. How easy is it to upgrade a system, including any cards, with new encryption methods if the original security methods have been cracked and the knowledge of how to do it is widespread? In other words, if the people out there, the bad guys, know how to use the system, how can you put that right?
Professor Anderson: Let me first say that I do not believe many of the claims made for security of cards and biometrics just now. There have been a number of criminal cases where people have been sent away for fraudulent Pay TV cards and there was even one case in America where one Pay TV company sued another alleging that it had broken into the other firm's cards, got the codes and keys and published them on the net. There is much more information on this in my book and I am happy to contribute.
Q402 Chairman: That is the second reference.
Professor Anderson: This is an ongoing question, whether we can make cards invulnerable to certain analysis techniques, such as optical probing, differential power analysis, and we do not know how to do it yet. That is why you need some means of replacing cards. Sometimes you may have to replace a large population of cards at little notice. It has been the case that the banks have shipped millions of new ATM cards to people. It has been the case that Pay TV operators have suddenly had to produce millions of new cards and mail them out to all of their subscribers. One would hope that if you are building a system that people would be relying on for passports that you would design something that would degrade a little more gracefully, not relying too much on mechanisms that can just break suddenly, like that.
Q403 Chairman: Could I end with one question and you may well have answered already, but just to be clear. Professor Thomas and Professor Anderson, to the extent that you go along with doing this at all, you would say to the Government we should limit very much the purposes of what an ID card is there for and the database is there for, it is simply a system for trying to identify people and, Intellect, you say that the value of this card depends on large numbers of people wanting to use it and enabling them to access a wide range of services. Is there any way in the design or the engineering or the presentation of the system that those different points of view can be squared or is that a choice that the Government has got to make in deciding what sort of system it wants?
Professor Thomas: I believe that is the choice that the Government needs to make. I think that it is highly unlikely that it will successfully implement an ID card system within the timescale and budget that it currently envisages. I think that its best chance of doing that is to restrict what it is attempting to do and to reduce the complexity of what it is attempting to do as greatly as possible, to make it as simple as it possibly can because that will take some of the risk out. Most importantly, whatever it is trying to achieve it needs to define very clearly. I would plead that rather than letting a contract to implement an ID card system, it lets a contract to define very vigorous requirements for an ID card system and that the investment in equipment and in building the software to implement it is delayed until that requirement actually can be demonstrated to be unambiguous, free of contradictions and complete.
Q404 Chairman: Intellect?
Mr Llewellyn: I think it is entirely right that the specification of what is required must be clear. I doubt very much that it is ever possible to have a complete specification of what is required; once again I think that is a counsel of perfection. I completely agree that it is important for Government to know exactly what it wishes this system to do when it is implemented. We have said we believe the systems in place at the moment, principally driven out of OGC and its creation, will be sufficient to ensure that the delivery of what it says on the can is actually achieved.
Q405 Chairman: If the Government were to take Professor Thomas' view, which I think is Professor Anderson's, which is keep it simple and limited in order to make it achievable, would you then say that the trouble with that is the range of uses is now so limited that it really cannot achieve the level of take-up that you talked about in your evidence of it being multi-functional and very widespread in its public use?
Mr Llewellyn: I think it would be possible to reconcile the views from the two opposite ends of this table in terms of a range of capability that would achieve the take-up while not being too ambitious in the short-term so as to run the risk of tripping over oneself.
Mr Kalisperas: Unlike Professor Thomas, who is clearly on the outside looking in, we have been working with the Home Office for two years on this. They have not rushed to judgment in any aspect of the work they have been doing. In the work that they have been undertaking with our members they have kept an open mind. They have a better understanding of what the technology can do and what it can deliver and that process is ongoing. If at any stage we believed that the Home Office was going to produce a system which could not deliver the benefits which it hopes to deliver, or which we believe technically is not possible, then we would withdraw our support for the approach the Home Office has taken. This is the first time in a long that a government department is working in partnership with the industry to look at what is possible. This is a crucial project for the IT industry and we are not willing to see it fail. Unlike Professor Thomas, I do not think we are an industry of incompetents. We are highly skilled, highly able people who have delivered some of the most leading edge software that this country has seen. Credit needs to be given to the Home Office for the approach that they have taken.
Q406 David Winnick: Do not misunderstand me, someone has to carry out the work, but when your group of companies, the organisation you are representing, are directly involved obviously they have a commercial interest in producing that.
Mr Kalisperas: These are organisations both large and small, multinational and domestic, who have delivered a variety of different solutions, card solutions, both internationally and at a very local level. These are organisations who have demonstrable experience.
Q407 David Winnick: Of course.
Mr Kalisperas: But I would also say that when it comes to public sector IT projects we are well aware of the increased scrutiny that there is among the general public and from Parliament and we are aware of the pressure that there is.
Q408 David Winnick: If I can just ask this question. If, sadly, the Home Secretary changes his mind or there is a new Home Secretary, as the case may be, who decides to reverse the decision the Cabinet has now taken, your companies would be adversely affected, would they not? There would be less work. You may get work elsewhere, again I do not wish to be misunderstood, there is nothing wrong in wanting to get government contracts and all the rest.
Mr Kalisperas: We have an interest in making sure that the public sector IT projects are delivered successfully, that is the bottom line. If the Government decides that it does not want to see it with ID cards that is a decision for them.
Q409 David Winnick: Yes, of course, but it would affect the companies involved.
Mr Llewellyn: There is a point here that ----
Q410 David Winnick: Can I just say that I am in no way questioning the integrity of your group whatsoever.
Mr Kalisperas: Can I just point out that if you look at the types of contracts that have been agreed in the public sector recently and some of the comments which have come out from organisations like BAE Systems, for example, I see that companies by and large probably would not be working in the public sector at the moment due to the extremely hard bargains that are being driven by their public sector customers, they would far rather be working in the private sector if they had the opportunity. At the moment we are dealing with the public sector IT contract and the customers are looking at trying to drive as much value for money as possible out of those contracts.
Q411 David Winnick: No-one is forcing companies to take Government contracts.
Mr Kalisperas: No.
David Winnick: That is a decision for the companies to take.
Q412 Chairman: Mr Kalisperas, you made the point that Professor Thomas is not involved in this process, but the companies that you represent are. Would it be reasonable for us to conclude before a firm decision is taken to go ahead that all of what you have been discussing with the Home Office about security of the cards, security of the systems, security of people, should be put into the public domain so that people like Professor Thomas and others who have an interest in these matters can actually scrutinise this and make a comment as to whether it is adequate, or would you be saying to us that we, as Members of Parliament or the wider public, should simply rely on the Home office and Intellect and the companies you represent to get it right?
Mr Kalisperas: I would refer you back to Geoff's answer which focused on the balance between the need for openness and the need for commercial sensitivity.
Q413 Chairman: So it may be you are saying to us that we would have to proceed with the card without a full public debate about whether the security measures and so on would be adequate?
Mr Llewellyn: My personal view is that the supremacy of Parliament would apply here and that Parliament must be well informed about the issue at hand. To my mind, above all it is not a technical issue, it is a constitutional and political issue and, therefore, there must clearly be a proper constitutional debate about the circumstances and use of any such card, but it needs to be informed by an understanding of the technology, it needs to be informed by an understanding of the balance of risks which we have had expressed this afternoon, and the balance of opportunities. One only has to think that money is forgeable, money can be used for entirely immoral purposes, money can be the root of all evil and yet we cannot imagine working in our everyday lives without money. Similarly, I think the kind of transformation that a secure electronic form of identity would offer could be as positively transforming for all of our lives as is money, and that is the kind of debate that needs to be had.
Professor Thomas: That is exactly the argument for multiple cards. If you only had one bank note you would really feel vulnerable, would you not?
Chairman: Thank you very much indeed, gentlemen.